Forgot your password?
typodupeerror
Linux Software

Yet Another Crack-This-Box Challenge 137

Posted by Hemos
from the who-else-is-tired-of-this dept.
Sand_Man wrote to us with the latest public relations stunt with crack-a-machine trials. This is a month long trial, pitting Linux vs. NT boxes against each other. Details are in the story, but does this whole thing strike everyone else as tired PR stunts now?
This discussion has been archived. No new comments can be posted.

Yet Another Crack-This-Box Challenge

Comments Filter:
  • In case you didn't notice all the comments, it turned out to be user error by the /. admin posting the story (she posted it before she had finished editing it). /. is still in a "beta frame of mind", things happen. Bad things happening are often not the result of malice but rather of mistakes.
  • What better way to get a hacker profile database then offer a huge carrot to them to attack a system?

    Next it'll be "Win $1,000,000 if you can assassinate [insert public official's name here]", Sponsored by Wal-Mart.
  • I sent the following e-mail to the test manager at ZD:

    I've read numerous comments on various Linux news sites suggesting this is an utterly meaningless test. As a consultant who has done some security work, I must say I do not agree that this test is completely valueless, but it most emphatically is not a test of the relative security of either operating system. This is much more a test of the quality of the firewall product and the completely different web applications running on each server.

    Because the most common exploits revolve around poorly written web applications (vulnerable to buffer overruns and so forth), this quite simply is, while not valueless, a totally dishonest test.

    You should be using the same web application on both machines, with full source code disclosed. Ideally, you would even be running the same web server with full source code (Apache? Although they really aren't the same code when compiled for the differing OSes).

    As I said, I think the test might well be very interesting, but to cast it as a contest between NT and Linux is intellectually dishonest. No meaningful conclusions about OS selection can be made on the basis of this test.
  • same year! Coincidence? I think not!! :)
  • by kevlar (13509) on Monday September 20, 1999 @06:45AM (#1671443)
    There is definately something fishy here. Both boxes are behind a firewall unidentified by nmap. Translation is that they have some kind of routing firewall to prevent certain ports from being attacked. What kind of contest is this if the ports that are "open" are sitting behind a firewall that won't allow anything more than a 3-way handshake? This is to show NT is secure. I have no doubt anymore. Someone is playing a foul game here.


    [root@kevlar /root]# nmap -sT -O securent.hackpcweek.com

    Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
    Interesting ports on securent.hackpcweek.com (208.184.64.171):
    Port State Protocol Service
    21 open tcp ftp
    23 open tcp telnet
    25 open tcp smtp
    70 open tcp gopher
    80 open tcp http
    119 open tcp nntp
    139 open tcp netbios-ssn
    420 filtered tcp smpte
    443 open tcp https

    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)
    No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
    TCP/IP fingerprint:
    TSeq(Class=TR)
    T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
    T2(Resp=N)
    T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
    T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T7(Resp=N)
    PU(Resp=N)

    [root@kevlar /root]# nmap -sT -O securelinux.hackpcweek.com

    Starting nmap V. 2.2-BETA4 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
    Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
    Port State Protocol Service
    21 open tcp ftp
    23 open tcp telnet
    25 open tcp smtp
    70 open tcp gopher
    80 open tcp http
    119 open tcp nntp
    139 open tcp netbios-ssn
    420 filtered tcp smpte
    443 open tcp https

    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)
    No OS matches for host (see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
    TCP/IP fingerprint:
    TSeq(Class=TR)
    T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
    T2(Resp=N)
    T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
    T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T7(Resp=N)
    PU(Resp=N)


    Nmap run completed -- 1 IP address (1 host up) scanned in 24 seconds
  • This pretty much invalidates the whole thing for me. It is probably filtering everything but web traffic ( i would verify but the whole thing is so slow right now I can't deal.)
    They say that if a machine isn't behind a firewall it doesn't have anything worth securing. While this may be true this has nothing to do with testing the security of the machine behind the firewall. The firewall is what you are testing at this point. I've pretty much discarded this whole thing. Anyone can close everything but port 80 and 443. What a joke.
  • I hate to burst your optimism, but this test doesn't look to me like it is come out in favor of linux.

    The very quote you cite,
    All to often testing focuses on the speeds and feeds of a product. PC Week Interactive aims to change that. This first is a series of tests aim to look past the standard performance features of an application, and examine its reliability, usability, security, and total cost of ownership.

    sounds to me like this is going to be result in "with our ultra-scientific testing results, we've determined that MS Windows NT is without a doubt more stable, reliable, user-friendly, and lower in total cost of ownership than Linux." I've seen it too many times before.

    Also, when they mention several sites that have been recently hacked, such as ABCnews and the Drudge Report, they say that some were running NT and some were running linux, but Netcraft results indicate that they were all running some flavor of NT and IIS. Already the facts aren't completely straight.

    Finally, it all comes down to how the boxes are administered. I don't know anything about the additional software they are putting on it for serving classified ads, but it could be wide open to hackers, especially if it runs as root (don't put it past them). Furthermore, Redhat is not the most secure linux distro out of the box. When Redhat makes a corporate sale with service packages, I'm sure they tweak the post-installation for security.
  • They tell you under the topology link on the site that the boxen are behind a raptor firewall. netcraft scans are going to be incorrect. Our companie's web server shows up as IIS 4 on BSDi. Our firewall is based on BSDi. Kinda funny.
  • I just went to check it out. http://www.hackpcweek.com/ is already down, adding to the lameness of this contest...
  • by EisPick (29965)
    > Details are in the story, but does this whole thing
    > strike everyone else as tired PR stunts now?

    Yes.
  • by bmetzler (12546) <bmetzler@li v e . com> on Monday September 20, 1999 @06:56AM (#1671450) Homepage Journal
    This test will prove nothing. If the NT box is cracked/hacked/took down everyone on /. will say. Microsoft sucks, NT sucks, it got cracked etc. etc. If the linux Machine is hacked someone will cry that whoever did whatever did not tighten the security enough.. Either way it proves nothing.. So whats it matter.. What a silly contest

    Yep, and the converse is true too. If Linux is hacked, then MS will say, "See, trust your servers with us." But if NT is hacked, they will say "The admins weren't competent".

    It has been said already. Crack challenges prove squat. If one OS or the other gets cracked, it won't prove that either is more secure. It'll just prove that a one point in time, one script kiddie cracked one server. And nothing more.

    Also, security depends more on how the server was configured then just the OS used. Mindcraft anyone? When I first saw this I thought, "Sure MS could pay PC Week to 'misconfigure' Linux". But back to the presumption that PC Week is independent and hasn't been paid [cnet.com] by MS, how competant were the admins that configured these servers? Probably the MS admin was MCSE certified. Perhaps the Linux admin has taken the Red Hat certification, at minimun?

    -Brent
    --
  • Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
    Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
    Port State Protocol Service
    21 open tcp ftp
    23 open tcp telnet
    25 open tcp smtp
    70 open tcp gopher
    119 open tcp nntp
    139 open tcp netbios-ssn
    420 filtered tcp smpte

    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)
    Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3

    Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds
  • I wonder if similar IP's will get cracked as well this time.

    But seriously, i think that these don't really help anybody very well. I'm mean what can they really tell us?

    -- Moondog
  • I have a 386 sx/25 running DOS 6.22, clean install, if you crack it you get it... okay... now go for it!
  • by Zamis (81530)
    Yeah! But this one lets you watch the logs.
  • by Anonymous Coward
    Easy solution. Name one wrestler Linux, the other NT. Let them go at it on pay-per-view for $29.95. Hell, I'd pay.
  • Before this article is /.'ed, the URL for the challenge is http://www.hackpcweek.com [hackpcweek.com].

    Of course, that doesn't help if it's PC Week that /.'ed :-)

    Good Luck!

    -Brent
    --
  • by shrewmy (37432)
    Linux will win this round. You know most hackers who go there to break into the boxes are probably going to attack the NT box just to show Linux is more stable than NT.
  • by Anonymous Coward on Monday September 20, 1999 @06:11AM (#1671459)
    From the article: "Taschek also noted that, in recent weeks, the Nasdaq/Amex, the Drudge Report and ABC sites were all hacked in someway. Each of these three web sites runs either Windows NT with IIS or Linux as their front-line web servers. " From Netcraft: www.nasdaq.com www.nasdaq.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 www.abc.com www.abc.com is running Microsoft-IIS/4.0 on NT4 or Windows 98 and finally (the worse yet!) www.drudgereport.com www.drudgereport.com is running Microsoft-IIS/5.0 on Windows NT5 beta We all know that both OSes are only as good as the person who administers them. This is an absolute joke. How much says Microsoft is sponsering this?
  • I mean, what's the point. I just read the Seattle P-I business section this morning where they regurgitate the Mindcraft study as if it were valid, with no negative comments, in an article on Java and Red Hat.

    So, seriously, what's the point? PC Week is not unbiased, as any longtime reader knows, and it's pretty obvious that they'll just feature whatever positive spin they can make as to "why IIS and NT is a better choice for your average user who uses ASP" or some such comment.

    I've got work to do.

  • It seems like hackpcweek.com is already down :) Slashdotted or hacked? I dunno...
  • it's called the slashdot effect, turbo...
  • This is just MS' ploy to find the hole in NT. They know that someone out there has an exploit for a serious security hole in NT, and they want it. I have no doubt that they are sponsoring it, and the bounty of $1000 is to get the people who have the exploit to use it on the machine. This would explain the firewall. Not only is there a firewall, but they're piping all information to another machine which logs the packets. Try a traceroute, you'll make it to the firewall, but not past it. However you can ping it and get a response. Whoever has the exploit, don't use it unless you feel like giving it up, because the second you use it on the machine, you'll be giving MS the precise location of the security hole.
  • I hate to burst your optimism, but this test doesn't look to me like it is come out in favor of linux.

    *pop* Thanks for bringing me back to reality. I was really trying hard to be positive. But I know deep down inside that you are (probably) right.

    ...sounds to me like this is going to be result in "with our ultra-scientific testing results, we've determined that MS Windows NT is without a doubt more stable, reliable, user-friendly, and lower in total cost of ownership than Linux." I've seen it too many times before.

    And I thought Linux was strong in all those areas. But you are right. The test results don't depend on how the OS's themselves hold up, but more on the biases of the testor's.

    Well, PC Week has said there will be a series of tests, so I guess the best thing to do would be to watch the tests carefully, and be sure to point out all the problems, the best we can.

    -Brent
    --
  • This is ridiculous. It's not our job to find the security holes in OS's.

    This is probably where you'll see the difference between programmers who love what they do (Open-Source) and programmers who live by a punch-clock (Microsoft).

    May the better OS win!
  • by jafac (1449)
    unfortunately, it's much easier for millions of script kiddies to simply flood the connection and ruin it for everyone else.

    Maybe this sort of thing should best be done on isolated networks, monitored by judges, like a sport.
    Or maybe I'm just depressed because it's Monday.

    "The number of suckers born each minute doubles every 18 months."
  • Before Hackpcweek went down (uh, I think it's down, my proxy comes back with a "could not be loaded" error in a split second...) I had a look at their log page. Apparently they log all attacks on the NT box, linux box, and the main web server for the trial. The attack split was something like 15% against NT, 10 % against linux, and 75% against the main web server. And now it's down. Go figure.

    I must say I like the test so far:

    1) they're doing it over a month so they should be able to modify the test as it goes on.
    2) they allow everyone to see the process of what's going on.
    3) I have no knowledge of system security whatsoever. PR stunt aside, I think that this test will be very informative for myself, and others like me who are looking to learn about how this type of thing goes down. Not everything is contained in man and info pages. ;)

    As to #2: Therefore, if something bad happens to one of the servers, it'll get put up on /. Therefore, if the bad thing happened becuase of their setup (*cough*apachetest*cough*), so many people will complain that will hopefully be forced to fix the problem (see #1). Like this whole firewall arguement thats brewing.

  • by Wakko Warner (324) on Monday September 20, 1999 @07:20AM (#1671475) Homepage Journal
    What we need now is a "box this crack" contest: drive through Harlem and pick up a few dealers and have them compete to see how fast they can get a shipment packed, false-bottomed, filled with Beanie Babies, and sent out via UPS.

    That's real, honest-to-God, cutthroat competition.

    - A.P.
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • Are these boxes dead already? I can't get a connection and my pings all time out, we're talking 100% packet loss. The contest has started, so I don't know what the excuse is. Probably the same as Microsoft's for their windows2000test machine: the router or the ISP. But Linux is on one of them so there must have been a catostrophic fire or flood perhaps...
  • It's not a tired PR stunt...we've never really had closure on this one. None of the previous hack-in-the-box contests were "won" officially, so I hope this one plays fully out.


    Dan
  • PR indeed. I don't see how this would prove anything; the time before a crack isn't significant, because you're always likely to run into a security hole early. So what if NT is cracked one week before Linux? It doesn't prove that Linux has better security (like we need proof), only that NT got unlucky and someone found an NT crack first.

    Somehow, though, I suspect people will put a lot more energy into cracking NT than cracking Linux. So Microsoft won't be using this "benchmark" as FUD. Good, cause that would have been annoying.

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • by vyesue (76216) on Monday September 20, 1999 @07:22AM (#1671480)
    it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.

    if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
  • Why play into M$'s hands by helping them debug W2K? Save our best cracks for the real release. Of course, only on servers that challenge us to do so ;)
  • ... then stop sending stories about them to Slashdot.

    Yeah, they are tired PR vehicles. And there was a great essay from an earlier "crack this machine" Slashdot thread talking about why such stunts could actually harm a company's reputation (maybe someone can find it?)

    Jay (=
  • it strikes me as a little ridiculous that people think that this is a real good metric by which one can judge the security of an operating system. I would guess (and I could be wrong) that the only people who are really going to attempt to break into these machines are the script kids; experienced, skilled hackers would probably steer clear of breaking into a site which was set up for the express purpose of attracting attacks.



    if I had some exploit that was useful against these machines, and I knew that the only purpose of these machines even being there was to find out how they can be compromised, I would never, ever use my attack on them. besides, whats the prize? several hundred bucks worth of gift certificates? and instant notoriety? thanks, but no thanks.
  • Goods Points..but perhaps it is already working. Suppose you were charged with fielding a machine in a national ( international ? ) contest such as this?...the biggest problem so far seems to be keeping ANY machine up and running under an onslaught of attention..regardless of the stated purpose or OS. So what's a hot administrator to do to prove his worth? Maybe he bets another guy he can keep his box going longer than any body else can. The Web itself won't be robust until MOST servers can withstand this type of scrunity and traffic. BTW..If you are paranoid about masking your identity on a box you can't get busted for..get another trade.
  • The techs shorted out the IIS server by walking on the carpeting in a scuffing kind of way. This knocked out the server.

    After all, noone needs a UPS, do they?

  • Geez. Don't people get tired of having these tests last only a few minutes before something goes wrong.

    The main site www.hackpcweek.com isn't responding.
  • Now that the site is back up, I thought I would poke around the website and see some info on the hardware and what not..I came across this on each OS.


    about Redhat:

    We used the latest distribution from Redhat, along with Apache. Much thanks
    to the open source community for help in securing the server.


    okay..sounds cool. I'm curious as to WHO helped out.

    about Microsoft:

    Microsoft pitched in by modifying their guestbook application to a classified ad
    application. They also helped with the myriad configurations of Nt,
    IIS,SQLServer, and MTS.


    Look who decided to get thier hands into things. Not only did they "help" by rewriting the guestbook app, but they also did mods to NT,IIS,SQL server and Transaction Server.

    -- Like many have said earlier, It's not going to look good for linux. I could be wrong, but I was only wrong once and that was becasue I *THOUGHT* i was wrong ;)

    I mentioned before the use of the firewall throws out all the real world usage issues for me. This is a test of raptor if anything.

    On a funny note, notice that they were able to get MS to help with the detailed tweeking. I wonder If I could get them to do that for OUR IIS server? heheheh
  • Furthermore, MS can generate scripts from the logs: the NT scripts can be taken to their labs for debugging, the Linux scripts can be saved for future considerations. But not to worry, the only way Linux can be crushed is if _we stop developing it_
  • hmm.....this maybe everybody trying to crack the NT box, but, my portscanner ran about 1/3 faster on the Linux box.

    Also - the Netcraft results for securelinux.hackpcweek.com are:
    securelinux.hackpcweek.com is running Apache/1.3.6 (Unix) (Red Hat/Linux) on NT3 or Windows 95

    Anybody see anything wrong?

    That's my 1/50 of $1.00 US
    JM
  • Has anyone else noticed that the nt posting form thinks you are comming from 10.0.0.1 or somthing like that and will only let you(everyone) post 5 messages in 24 hours?
    Could this could be a loop hole for MS to say NT wasn't properly configured?
    Could it be a problem with the firewall?
    Could PC Week be trying to screw us?
    Could I just be paranoid?

    Dr_Funk
  • John Taschek from PCWeek says that the reason they're doing this is for an article on web server security.
    "We don't care which operating system (if any) is broken into first. We want to establish the basis for a story on the best practices for implementing security. Additionally, PC Week wants to open up our test labs to the community for these kinds of tests."
    The problem with that statement is the "test" will end when the first box is broken into. If they wanted to do an article on the "best practices for implimenting security, wouldn't they fix the security leak and keep the test up?
    It isn't stated whether the systems have been hardened or are just standard installs, but it'd be bunk if the NT system had all the latest service packs and the Linux box was a straight install of RedHat 6.0 with everything enabled and wide open.
  • Hmm... I dont know what they are running their website on but, it has already gone down for one reason or another. If you ask me it's just like everything else. I do something really great, make alot of money, and draw alot of attention to myself, and someone turns around a month later and does the same thing. It's outrageous. I feel as though I have returned to third grade on recess yelling, "Copy Cat, Copy Cat, Copy Cat!" Pete
  • That's basically all it can be.

    There's no way you can actually prove anything simply by saying "Yeah, well, I had my NT box online, asked people to crack it, and no one managed to. Yet, BillyJoeBob's Linux box got cracked! So ha!"

    First off, you have to monitor how many break in attempts there are. There could easily be double on the NT box because more anti-NT people heard about it than anti-Linux people.

    Second, you have no idea if the people trying to crack into the boxes are of equal skill level.

    Third, Linux is *way* too customizable. Sure, you could claim to install it with default settings and such, but that's not really proving anything, since that would just make the distribution's default settings at fault if somone cracks in, not Linux.

    I have a feeling that we'll be seeing more of these as time goes on.

    Julian
    --
  • by Anonymous Coward
    >"Taschek also noted that, in recent weeks, the
    >Nasdaq/Amex, the Drudge Report and ABC sites
    >were all hacked in someway. Each of these
    >three web sites runs either Windows NT with
    >IIS or Linux as their front-line web servers. "

    Hey that's not incorrect! Each of the three web sites does run either NT / IIS or Linux. Hell, each of the three web sites runs either NT / IIS or a webserver written in Basic on the Commodore 64 in my bathroom.

  • The WinNT would have to be a Sumo (sp?) westler. Linux would have to be young and powerful as fuck as well as having great endurance. Since endurance=uptime. heheh.
  • by Anonymous Coward
    Linus vs. Bill
  • I have no doubt that if problems are identified that they will be fixed and passed along. I guess I thought there was a lot less PR noise to this test than some of the others we have seen lately. To me, this seemed like another facet of peer review by an impartial (well....) tester. Even if it is a PR stunt, we can still use it to improve Linux. Hell, Mindcraft was the mother of PR stunts, and we ended up getting some info on parts of the kernel that needed attention. Ultimately the PR noise will made irrelevant by the facts.
  • by Haven (34895)
    I am sick of all this. I am just going to find out where these damn servers are and break into the server room (physically with a crowbar), and crack the computers (physically with a crowbar), then when I go to claim my prize I will crack the people who thought they should get on the bandwagon by doing thier own competition (physically with a crowbar).
  • Like many databases, this one highlights all instances of a search term. The person that found this article and submitted the URL had done a search on "Linux," and that's why "Linux" is highlighted everywhere it occurs (even the headline).
  • This is dumb! They have the boxen on the other side of a firewall. And did I read right? The $1000 isnt in CASH? Maybe they will give the winner $1K in MS software. They must be loggin all the packets. So be sure to use your best tricks so MS can learn them!
    They say right on the website that MS fixed some parts of NT...so they arnt even running a NT install that you or I could buy. Next week they will put the Linux box outside the f/w and put a username and root password in the issue.net. Screw them.
  • the site is Microsoft.com [microsoft.com]
  • by Anonymous Coward
    If http://securelinux.hackpcweek.com is really linux, why is it coming up as nt3 or 95 box on http://www.netcraft.com/whats? Strange... Even if the "linux box" is really 95, the NT will get cracked more, just because more capable people hate Microsoft.
  • by Pont (33956) on Monday September 20, 1999 @06:21AM (#1671519)
    If you, yes you, hack www.fbi.gov and put up porn, instructions for building nuclear weapons, and your actual home address, you will win the following:
    Free housing for 10-30 years!
    Free "food" for 10-30 years!
    Free sex for 10-30 years!
    Free training in a useful trade!

    Who can resist!
  • by Anonymous Coward
    Do we trust them to know how to set up a machine? Linux or Windows, thier lab people seem kind of out of it.
  • This and the other "contests" are just attempts by the FBI to catch one of the ULG or other groups in the act.

  • Check out their Why We're Doing this [hackpcweek.com] page.

    All to often testing focuses on the speeds and feeds of a product. PC Week Interactive aims to change that. This first is a series of tests aim to look past the standard performance features of an application, and examine its reliability, usability, security, and total cost of ownership.
    It's nice to see tests from high visiblity labs focusing more important things then whether a "car" can do 350 miles an hour, or 195 miles an hours, when the speed limit only lets the "car" go 85 mph.

    Sure, the PHB's might be awed by a server the can pump out static data 4 times faster then the bandwidth of a T1, but there are more important details to look at.

    When I look at buying a new car, I do more then just check how high the speedometer goes. Handling, braking, comfort, a great stereo system. Top speed in a car, unless you a racing, is largely insignificant when deciding on a car. A company that relies on the top speed of a car to selling it, will find that they have a niche market.

    Microsoft relies on "optimising" it's servers to be fast on high end hardware. This is impressive to PHB's, but lacks the real important details needed in servers in production. It won't be long until the PHB's learn that speed isn't the most important thing in a server and they'll have knowledgable admins put servers in production that have real "features".

    Or maybe I'm just giving PHB's too much credit. Maybe they'll never learn. But it sounds like PC Week, at least has gotten the idea. Good for them

    -Brent
    --
  • by Hrunting (2191) on Monday September 20, 1999 @08:28AM (#1671527) Homepage
    1. Give the box to your average Joe Schmoe luser and let him set it up on a relatively bandwidth-capable link. Then have someone hack that. See what happens.
    2. Give the box to your average Joe Schmoe luser and see how long it stays up during average use (word processing, standard updates). Make sure to log how they use it.
    3. Give a Linux box to a bunch of Windows NT techs and see if they can set it up for (input server type here). Time how long it takes. Repeat task with Windows NT box and Linux admin.
    4. Setup a kiosk with with two boxes, one NT and one Linux running a Window Manager of choice. Give them passersby the choice of looking at Netscape on one or looking at Netscape on the other. See which one people use the most. Ask them why they don't use the other.


    Honestly, security is a nice issue and all, but there are so many other areas that both operating systems need improvement in. Security is such a function of administration that these contests show very little of the capabilities of the operating system. Try combining them with other aspects, like setup, administration, use, and scalability, and then your contest will really say something about the operating system.
  • It seems like everybody's first stop is a DNS for host lists. I found that "above.net" is hosting DNS services:

    [ns.above.net]
    hackpcweek.com. SOA ns.above.net dns.above.net. (1999091900 10800 3600 604800 86400)
    hackpcweek.com. NS ns.above.net
    hackpcweek.com. NS ns3.above.net
    hackpcweek.com. A 208.184.64.168
    securent A 208.184.64.171
    securelinux A 208.184.64.170
    forums A 208.184.64.169
    www CNAME hackpcweek.com
    hackpcweek.com. SOA ns.above.net dns.above.net. (1999091900 10800 3600 604800 86400)

    And that "above.net" is hosting the machines on their network.

    I have a web-page that polls web-server types every three days and I watched M$'s site go from IIS 4.0 to IIS5.0 and back to 4.0 in rouchly a weeks time. Hmm...wonder what happened there?

  • Nah, RMS and ESR are the guys we want for AI. They're ye olde Lisp hackers.
  • by CrAlt (3208)
    The webpage says cash but the rules say
    "To win the 1000 gift certificate you must mark up the home page or steal a file called top secret."

    hmmm....
  • it was lightning...
  • First telnetting into port 80 on both secure{nt,linux}.hackpcweek.com shows they're running identical server software. Then I try telnetting into the SMTP port and at both IPs I get "421 stopper.hackpcweek.com is not accepting new connections. Please try later". (Emphasis added).

    What an effing waste of time. I think only thing this "challenge" will prove is that nobody bothered.
  • by Anonymous Coward
    I liked the part about the discussions over
    which OS had more open standards.
    Is there _really_ a question in anyones mind?
  • Re: "Man didn't really land on the moon...NASA programmers simply produced a simulation on a Un*x system."

    Cute .sig, but of course you know the first couple of landings pre-date Unix.
  • I don't mean to belittle your effort, but if you check the front page of www.hackpcweek.com, you will find they prominately list AboveNet as their host ISP for this test. :-)
  • Maybe its just me here, or maybe not. But an nmap scan of all ports literally returned almost every port open. Now, not even redhat ships with that many daemons running by default, so its either the firewall (got my vote) or they went out of their way to make each box more insecure.

    If it is, in fact, the firewall at fault here, what is the point of having such an event, is the whole contest not pointless here? Wouldn't one have to be able to bypass this firewall first, making it a crack this firewall, and THEN crack this box contest? How do these results verify one OS more secure than the other. More importantly, how do ANY of these tests check up on OS security, since buffer overflows occur across almost all os's, and in fact its usually daemons that are exploited.


    -mike
  • by DragonHawk (21256) on Monday September 20, 1999 @01:30PM (#1671540) Homepage Journal
    It hardly stops there.

    The "Site Diary" link at the top of the page is broken.

    The "We'll be updating..." (/schedule) link on the front page is also broken.

    The "Home Office-Online" link in the sidebar under "Equipment Used" gives you the write-up for the H/P server.

    The "IIS on NT vs. Apache on Linux..." (/backgrounder.html) link has bogus characters in it (a target for the "Demoroniser" Perl script).

    This is supposed to make us believe the server admins know what they are doing? Please. Why not just have some high school students setup the site? I have a feeling that would be about as valid.
  • Sure, so you buy the party line about Unix, too. Anyone who has researched it knows that Unix was given to the people of Earth by the intergalactic travellers who colonized this planet. It's true. The source code was kept in the Ark of the Covenant. Think about it.

    Score: 0, not funny, off-topic, blasphemous

    Andy

  • If a system is cracked into, it's (probably) insecure.

    But just because a system hasn't been cracked, doesn't guarantee it is secure.

    In fact, if I were a malicious cracker, and found a hole in the security of either of these systems, I wouldn't tell a soul how I did it. I'd keep the knowledge to myself, and wait for some juicy targets running (insert least favorite OS here). Say, the next potential amazon.com.

  • It's obvious that the administration of servers has a major impact on their security. I wonder if the NT admins at pc-week are equally skilled as the Linux admins, or vice versa. It was shown before that difference in skill can give hard to swallow results. (mindcraft anyone?)
  • it can tell us a lot and help us

    mainly it is pr , and free pr is good some times as long as us the ppl in the community have a say and can set the records strait now and then and not let linux promise something it cant deliver (at the moment) . but this kinda tries when done right can get the message out that yes linux is a great os and an oss . to dispell myths that certian oses are the only way to go . mainly there is going to have to be some ethical discustions set down

    the fact that we can read the logs is pritty cool if it isnt always / and .ed , we are strong and will over come any thing.

    free speach as long as you dont lie is the way to go. lets back up our arguments
  • Seems like all the servers are going really slow, both the NT and Linux ones.

    Wonder if it's because /. effect, DoS attacks or both.

  • Actually, I'd call it more of a Non-Moderating Censorship. Comments disappear, stories disappear (specificly the one this morning about the CEO of Infoseek being arrested for Kiddie porn). Not sure if Taco just didn't like the comments, or if he thought it was the wrong kind of article for /.
    Personally I didn't like the article at all... or the comments.
  • http://www.netcraft.com/whats/?host=www.hackpcweek .com

    Shows.

    www.hackpcweek.com is running Microsoft-IIS/4.0 on NT3 or Windows 95

    NT3 or Windows 95????

  • What happened to predictions that windows2000test would be cracked in minutes? 8 open ports and no successful attempts? Last reboot almost a month ago? C'mon people!

    Good grief! We've got real issues to work with other then spending the next three months playing with Microsoft's beta OS.

    When Microsoft announced the challenge we did our duty and "checked out" the server. And guess what? It failed miserably. Having proved that we went back to playing with our toys.

    Perhaps if MS wants any more testing they can go out and pay a real security company to test their OS. We're just tired of knocking their poor server down, enough is enough.

    Its ran for a month without reboot? If so, good for them. Goes to show that MS can develop a server that runs great - when no one uses it.

    -Brent
    --
  • Come on, i think the idea is getting old. I mean, basically, its been done already. The origional concept with micro$oft and LinuxPPC was a good concept, but now its just copycats.
  • They could use F5 networks BIG/IP and 3DNS solution to load balance between 2 machines serving content. One could be NT one Linux. Same IP address and domain names. However, if you go to the site you'll find that there are links to each box
    securent.hackpcweek.com
    and
    securelinux.hackpcweek.com

    I predict NT gets hit more because it has less to type for the lazy script kiddies out there. :)

  • In this article, John Taschek implies that one of the recently cracked sites was running Linux. For those who are interested, there is a running debate about this article on Linux Today in which Mr. Taschek has been participating. The article is at

    http://linuxtoday.com/talkback/38904.html

    In the discussion, I challenged him to defend his position about why he implied that Linux had been cracked. He responded by saying that Matt Drudge's main page (www.drudge.com) runs Linux. Of course, the page that was cracked was www.drudgereport.com which runs IIS on NT.

    In short, John Taschek is a liar who has no credibility WRT Linux, and the purpose of this test, it is clear, is to either damage Linux's reputation or try to repair NT's.

    Of course, I think we all knew that already!

    Aaron
  • Since they have a firewall with ACLS on all ports except 80 I think we are testing a firewall instead.
  • Attempts to test post ads to their NT box are severely restricted. It's all of 7:00am and I get the following:
    You are entering a submission from IP address - 10.0.0.1.

    We are currently accepting a maximum of 5 submissions per 24 hour period for each unique IP address.

    If you wish to provide further feedback on this site, please visit again tomorrow.

    My first observance is that my actual IP in no way resembles 10.0.0.1 in the deepest reaches of my imagination. (Somebody didn't check their scripts from anywhere but localhost.)

    By my estimates, this means you have to access by 5:00am to test this route for hacking in. The Linux server was correctly configured to allow more posting access and to time-out ads based on user-selected options.

    D. Keith Higgs
    CWRU. Kelvin Smith Library

  • I want to see Linus and Alan get together and write an AI for Linux, which will do battle with a Microsoft-written AI for Windows. Put them on their own private subnet, and see which AI cracks the other one first (and cracking the other's monitor with a robotic hammer doesn't count)
  • by PCM2 (4486)
    The impression I got from Garfinkel and Spafford's fairly-accessible book "Practical Unix and Internet Security, 2e" (O'Reilly) was that, even if everything else in the book went completely over your head, you should at least understand that crack-this-box contests don't prove @!$%#$.

    So why bother with them?
  • Well, a telnet to port 80 says it's Linux:
    >$ telnet securelinux.hackpcweek.com
    >Trying 208.184.64.170...
    >Connected to securelinux.hackpcweek.com.
    >Escape character is '^]'.
    >HTTP/1.1 200 OK
    >Date: Mon, 20 Sep 1999 18:39:01 GMT
    >Server: Apache/1.3.6 (Unix) (Red Hat/Linux)

    But even stranger... queso reports it as neither!

    >$ queso securelinux.hackpcweek.com
    >208.184.64.170:80 * HP/JETdirect Printer (old model)

    So this begs the question... are they running behind some kind of firewall/load balancing proxy?

The most delightful day after the one on which you buy a cottage in the country is the one on which you resell it. -- J. Brecheux

Working...