Slashdot Log In
Microsoft /asks/ "Crack this machine"
Posted by
Hemos
on Tue Aug 03, 1999 10:31 AM
from the they-asked-for-it dept.
from the they-asked-for-it dept.
zealot writes "Apparently Microsoft wants people to try breaking the security on this site, which is running Win2k w/ IIS. There are some "rules" of engagement. " Basically, because it's not behind a firewall, it doesn't count to throw huge numbers of packets at it, but there are multiple users accounts-change stuff, look for hidden messages, or "get something you shouldn't have".
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Javascript Dies in Netscape (Score:2)
=(
Anyone else experience this?
Chief Archer
m$ comments about javascript problem (Score:3)
[windows2000test.com]
message board
We have disabled the abilty of the Netscape browser to view our page for specific reasons. Please do not flame the messege board with comments pertaning to the inabilty to view the page in Netscape. Any comments relating to this should be directed at the Webmaster in charge of this page: jsmith@microsoft.com
A dreadful way to "prove" security (Score:3)
Gene Spafford (co-author of the O'Reilly book on security, many seminal papers on Computer security, and minder of such tools as Tripwire - the man knows what he's talking about) had this to say some years ago on security challenges:
http://www.netsys.com/fire walls/firewalls-9511/0743.html [netsys.com]
He lists so many good reasons (eight) to distrust this sort of challenge that it is difficult to summarise the message here. Best to click and read it yourself.
The point goes for every package where the author tries to "prove" security in this way - be it Sidewinder, Qmail or Microsoft. In many cases, the only result is to damage security by giving miscreants some "free time" to try and crack the system, for free, without fear of punishment.
Tiger teams have their place in a properly designed, properly managed security audit. Using unpaid tiger teams as the principal means is useless and dangerous. Will Microsoft move to assure its customers that this is simply a small part of a large, thorough security audit?
Dave--
I'm surrounded by hypocrites. (Score:3)
Do you get paid to find and report holes in Linux? Huh? Unless you work for a company that sells their own distribution and therefore it's your actual job, then no, the majority of you don't. So just what is the source of this stuck-up, arrogant, anti-Microsoft attitude? So what if Netscape won't read the page? I'd think that would be Netscape's fault, but no, you insist that the blame is to be placed on Microsoft. My Microsoft web browser doesn't choke on Javascript. Netscape's browser does. Netscape is the obvious problem here.
The open-source community has been calling for Microsoft to do something like this for a long time now. Microsoft is begging for you guys to show them what you're talking about when you say "Windoze sux". If Windows sucks so much, it shouldn't be any trouble to knock out that IIS box, should it? Huh? Then why are you wasting time complaining? Get over there and kill that sucker! And while you're at it, if you want an even easier challenge, you're more than welcome to try and kill my own Windows 2000 beta 3 web server. I haven't optimized it for security, because I don't see any need to. It's on a tiny pipe, and it'd probably be a snap to wipe that sucker out. Go for it! Go kill http://wonko.com/ [wonko.com] and then let me know [mailto] about it! Tell me how lame my system was and how easy it was for you to crack it. Go on! I dare you. :)
--
Wonko the Sane
LinuxPPC asked crack this machine! (Score:4)
It's running apache only. If no one gets in for awhile, we will start adding services( sendmail is first)
(You might have to wait for DNS to update in an hour - the IP is 169.207.154.108
Hilites from the hacked page source (Score:2)
It's just too funny!
Re:Javascript Dies in Netscape (Score:2)
Re:They're asking the Internet to debug for them ! (Score:2)
Step into reality (Score:2)
For instance:
1)why should anyone want to help micro$oft audit the security of win2k? wait till we can get a copy of it, then we'll start looking for security holes.
2)why should anyone want to help micro$oft audit the security of win2k? wait till we can get a copy of it, then we'll start looking for security holes.
3)Maybe the crackers should avoid the site, or break it and NEVER tell Microsoft how they did it. We certainly do not want to help improve products of particular company.
What is it with you guys? You constantly complain about how unsecure Windows is and how much better Linux is. Then Microsoft gives you a chance to show them some of these security problems that Windows has and you say "Wait, don't help Microsoft then they might have a better product!!" Are you afraid that by showing them some of their security holes that Windows 2000 might actually, heaven forbid, be a good product and make Linux work keep its edge?
From most of the posts I read it seemed that people were afraid that they might actually help Microsoft release of good product and I don't understand how you can see the release of a more secure and better product as a bad thing regardless of who makes it.
Rich
What is it supposed to do? (Score:2)
Are there any ports open besides port 80?
And why does queso identify it as a Cisco/HP/Baystack switch?
It says it's running IIS 5.0, now that I'll believe.
"Rules of Engagement"?? WTF? (Score:2)
0) You don't do anything unexpected.
1) You don't use a valid account to get in.
2) You only use ports 19, 24, 88 and 666.
3) You only use Microsoft products to do it.
4) You don't tell anyone.
5) You tell us (see rule #4)
Are they kidding?? The first thing a hacker/cracker would do is something unorthodox. Where do they get off thinking that you can test the security of a system by imposing rules of engagement.
That's what you get when you let your lawyers dictate procedure to your techies.
Javascript error "Windows is not defined" (!) (Score:2)
Re:Anti-Microsoft for no good reason? (Score:4)
They're just grandstanding and posturing, trying to prove that Windows 2000 is secure. Its win-win for them -- free high-level security testing (which unlike Beta testing, is something that is generally VERY expensive to contract out for), if it gets cracked, then they get an early warning and time to fix the problem, and if they don't their marketroids will have that nugged to get their paid-off "independant" columnists to write about.
All while people are wasting time to save Microsoft money developing a product that they're going to charge exorbanant licensing fees for.
Seems kind of stupid for anyone to waste their time on it. Get your own copy of Windows 2000, crack THAT, and post THAT exploit all over the net. That puts Microsoft in their place, and doesn't help them screw people over even more.
Re:Javascript Dies in Netscape (Score:3)
It seems that netscape is trying to execute this function before loading the DIV, while IE (and Mozilla) has either loaded it already or scanned the file to find that object.
As for what is correct in this situation, it would have to depend on when the "onload" function should be called -- before the page is fully loaded or after. IMHO, I'd probably have to say that IE and Mozilla are probably doing it right (no error vs. error).
I don't know why there is a spacing problem in Netscape (but I wouldn't be too surprised if it's intentional). Anybody know if Netscape or IE is interpreting the HTML "wrong" (please don't define "right" as what netscape does -- define it as you'd expect a browser to behave)?
Re:m$ comments about javascript problem (Score:2)
Sounds more like high specific gravity to me...
Why this is BS (Score:3)
xm@GeekMafia.dynip.com [http://GeekMafia.dynip.com/]
Oops (Score:3)
Re:Smart move for Microsoft (Score:2)
But Microsoft doesn't believe in choice, oh wait, yes they do, "Workstation or Server edition?"
A Stronger W2K means that MS will be in a stronger position to push their "Windows Everywhere" agenda
*sigh8 EXPLANATION: Login Failure (Score:2)
You didn't take anything down.
Re:Real security for 2000 and beyond? (Score:3)
Re:What an ugly site (Score:2)
Why would they? This is MS, to them there is only one browser. When they released IE for Unix, they proclaimed, "Finally, a graphical alternative to lynx!"
Re:Illegal? (Score:2)
In the same way, this sort of B&E by permission is legit. This has been done by private "tiger teams" numerous times, in the private biz and the military. Microsoft has simply given B&E permission (to that one site) to the world, using the entier net.population as one honkin' huge tiger team.
Re:Anti-Microsoft 'cause no reason to support 'em (Score:2)
To a certain extent, the participation of the Opensource community is driven by intangibles, and that force hasn't been able to be successfully co-opted by any corporation yet. Look at some examples:
- Netscape fails to engage thousands of kernel hackers in redevolping their browser
- Redhat starts becoming a "brick and mortar" business, and the linux community starts to diss them and fight for disto agnosticism
- For every major corporate announcement of plans for a Linux port, there's an effort underway to develop a free replacement.
I don't think that many hackers are really interested in helping Micros~1 make better products -- since we don't use 'em, we don't promote 'em, and we stand to gain *NOTHING* by improving IIS 5.0 or Windows2001 - A Wasted Disk Space Odyssey.
There's no portable code being release for peer review. There's no public API. There's nothing of interest for the linux hacker other than saying, "look, I hacked another Windows box!"
Thoughts from a grey-hat (Score:3)
If any of the attacks succeed, they have a trace of the crack, and can build better security for the final release of NT2000. This is good, because I'll have those pieces of shit installed all over my networks soon enough.
They also get to harvest IP addresses of everyone stupid enough to try even looking at this machine. Even a simple traceroute will give them a source IP address. Toss them all into a big database at a later date, couple it in with some other data about the attack type, and wait to use it later to track crackers. Offline analysis is a powerful tool, couple it with automated lookups and a simple knowledge based system, and you could populate a DB with some dangerous data.
For the paranoid, perhaps there has been a nasty break-in by some sophisticated infocriminals (love that new word, see HNN), and the FBI are also sitting in the room with their own analyzers, waiting for someone to try a similar attack. Assuming the crackers are just some misguided wanna-be scripties, this could help the FBI to back track to them. The cracking contest is just a combination of marketing fiasco and FBI clue gathering mission. The FBI are probably not even looking for anything they could use in court, just some leads to track down.
Given the lack of any other services on the machine, and the simplicity of the web pages (no DB or useful cgi-bin), and the quickly hacked together javascript errors, I would say this is mostly a marketing exersize. No matter what the outcome, they can spin it into some hype and a FUD campaign.
the AC
Conspiracy Theory... (Score:3)
1) They are tricking us into hosing a Linux box,
2) They have ported IIS to Linux and are testing that configuration, or
3) The scans are coming back incorrect.
I hope for the sake of the Linux comunity that it is (3) rather than the first 2. Man, think of the bad press for Linux!
IP addy (Score:2)
The interesting point that everyone keeps reitterating is that the site has been constantly down all day. I keep wondering what spin MS is going to put on this. They put out this box to be cracked, which cant even stay online. They use a non real world example by not running any services. The sad part is due to all the lame posts, they will attribute this to the opensource community in some way and attempt to make us look bad. And all this when I was just remarking that Bill Gates has done something good for once by donating some of his fortune to a really good charitable cause. *sigh*
Smart move for Microsoft (Score:4)
- Nothing breaks it, and this becomes a marketing high-point for Microsoft - It gets broken, and Microsoft engineers now have solid data (vice anecdotal) as to where the problems are. Especially if this was compiled with the debug option switched on.
Christopher A. Bohn
Wow! This server is BULLETPROOF! (Score:2)
We're witnessing the ultimate in internet security! Not only is it impossible to hack/crack/smack this box, but they've tightened things up sooooo much that I can't even ping it! Heck, I can't even resolve the name to an IP address.
My next challenge is for all you
What an ugly site (Score:2)
----
Re:m$ comments about javascript problem (Score:3)
Top Ten Specific Reasons Why Only MSIE Users Can View Microsoft Cracking Challenge
10. If you're doing lame browser detection, MSIE is fewer letters to type than Netscape, Mozilla, or even Opera.
9. Similarly, "JScript" is shorter than "JavaScript".
8. AOL^H^H^HMicrosoft is the Internet.
7. We left our copy of FrontPage at the default settings. But don't worry, it will all be fixed in FrontPage 2005.
6. We fear the mighty /. effect, and those fanatics wouldn't be caught dead using Exploder.
5. VisualBasic is more powerful and efficient than C++.* Likewise, Internet Explorer has that comforting familiar Microsoft Windows interface, so you don't have to learn that arcane, complicated Netscape setup.
4. You can't crack our powerful enterprise-level Microsoft(tm) Windows(tm) server if you can't read the rules we made up, nanny nanny boo boo.
3. We're weenies. We couldn't write "Hello world" in HTML, let alone use scripting languages.
2. 3l337 hAx0r d0oDz swear by MSIE.**
And the number one reason why only MSIE users are permitted to view the Microsoft cracking challenge is... drumroll, please...
1. Somehow the demo site was interfered with. Give me another chance, your honor.
*Editor's note: Microsoft actually says this on another page.
**Editor's note: swear at, more likely.
Refresh hack (Score:2)
With all the people hammering the server though, I'm surprised nobody tried a meta refresh before my redhat.com and freebsd.org tests. :P
Re:Javascript Dies in Netscape (Score:2)
Why Hackers might be kvetching... (Score:4)
Some people yelp, "Screw Microsoft, let em do their own dirty work."
Others tut tut, "This is just like Open Source! This is a step in the right direction."
What to do!?! Is Microsoft challenging us to stick by our Morals? Or are we being "used" by a corporate entity. Even worse, are the logs of this attempt at hackign the system going to represent evidence?
#1. If you can't avoid a simple tcp/ip packet sniffer from tracking you down, then you are unlikely to be the ones the FBI cares about.
#2. If you believe that this is closer to open source than before, try a breath deep too. Oxygen is good. Yes.. It burns stuff... Anyone can torture test any product they buy. There is nothing open source about that. The issue of Open Source is that modifications we as hackers might make after finding bugs, are owned by the community, as is the original software to some extent. The notion that this method of security analysis is any different than normal practice of Microsoft is laughable. The question is HOW the software is being tested, not WHO is testing it.
#3. I will note that it is rare for a Linux machine to HAVE to be advertised to be crashed. That is because if you want to test out a security flaw you can create your own test machine with no cost. Thats the joy of OPEN SOURCE. You can truly know what you are getting, try it before spending money, and even fix problems yourself rather than having to wait for a company to respond to your bug report.
#4. I still have doubts that this product ever will exist. The fact is that if no one hacks the software, then Microsoft can claim their non-released software that probably will not be really implemented before some serious bug fixing, is secure within the context of 1999's security issues and protocols. With new services being added regularly and custom software being thrown into the mix, this is relatively vapor ware benchmarking...
Whatever,
dlg
Contest? (Score:3)
I haven't read the "rules", but I wonder if everyone will follow them.
A ploy to get crackers to use IE4-5!!! (Score:2)
Re:What an ugly site (Score:2)
Re:Smart move for Microsoft (Score:2)
Outcome 1 - nothing breaks it. THis would be a bad thing. Arrogance and "we're unstoppable" would be their attitude.
Outcome 2 - we break it. they fix it. This would be a GOOD THING. The more secure a system is, the better. It doesn't conflict with our goal of Total World Domincation....it just gives people a viable choice.
You forgot Outcome 3 though - we break it. they deny it for 6 months and then release a Service Pack that fixes the problem that "doesn't exist". This seems the most likely to me.
Nonsense. (Score:3)
Exactly how is this "challenge" intriguing? Cracking contests are a dime-a-dozen these days, which is interesting because they demonstrate almost nothing about security. (See this essay [counterpane.com] to undestand why.) If you believe that the nature of the open-source community is to fall for tricks like that then you have drastically underestimated this community. Most of the audience here doesn't get paid to find and report security holes in Linux or NT. However, if you find a security hole in Linux the result of your work will be made available to you and everyone in the Linux community at no charge through the efforts of volunteers like Torvalds and Cox. If you make the same effort for NT on the other hand, Gates is sure to offer you the opportunity to pay for the improvement whenever Win2K manages to surface without seeing it's own shadow.
I'm not sure what you mean when you say, "The open-source community has been calling for Microsoft to do something like this for a long time now." As far as I can tell, no one has asked for Microsoft to offer us an opportunity to allow us to support their development and marketing efforts without compensation. Sorry, but now that the opportunity is here, I'm still not impressed. It probably would be easy to knock down the Win2K test server (I can't seem to get through to it so perhaps someone already did), and yours as well -- but I don't much care. I use Linux because it is the most stable and effective operating system that meets my computing needs, not as a protest against some other system. I choose to direct my attention to constructive activities -- attacking a system that isn't even in production without source code or specifications doesn't qualify.
Don't bother (Score:2)
Re:It is already borked. (Score:2)
2 staff/admins per mainframe
3 staff/admins per NT server + good technical support contract
Yes but those 3 staff are much cheaper since NT is so easy that anyone can admin it.***
*** Not my own view, but it seems to be a prevalant view among some PHBs. MS themselves seem guilty of pushing this notion in some form.
Re:Smart move for Microsoft (Score:2)
Re:Thoughts - Pebkac Networks (Score:2)
Seems to be a class C block of IP addresses from right in the middle of the Class B that M$ uses. Claims to be an ISP, but they have just one static web page on their server.
the AC
Re:Real security for 2000 and beyond? (Score:2)
And what does the Cracker get out of it? (Score:2)
1) Noone breaks in. Claim the most secure 0S in the world.
2) People break in, MS fixes the bugs, downplays the seurity risk, and makes money off of a better product.
What do the crackers get?
1) They don't break in, Nothing.
2) If they break in, Nothing.
Humm... What a deal.
Who is going to waste thier time trying to get into a system they have no idea whats behind? Where are the security holes? I would hope MS has fixed all the Known problems. And until they release thier software, it will be hard to see what new is broken.
Quack
Microsoft (Score:3)
Do GPFs count as "hidden messages"?
The goal is to see how a properly secured machine will stand up to attack. These machines are configured to prevent known attacks.
With a cookie-cutter operating system like Windows, you'd think they'd make the default configuration as resistant as possible to known attacks.
Re:Step into reality (Score:2)
But then does it really matter what company I work for? The point is that as a programmer you should work to help people release good code, not avoid helping someone just because you don't like their previous products.
That is only narrow minded and immature.
Rich
Anti-Microsoft for no good reason? (Score:5)
If you don't want to help Microsoft out, that's one thing, but you can't deny that this is better for the hoards of people who will be running this thing.
The Fallacy of Cracking Contests (Score:3)
The Fallacy of Cracking Contests [counterpane.com]
--
Re:Javascript Dies in Netscape (Score:3)
Re:Smart move for Microsoft (Score:5)
- Real Crackers aren't going to spend their time trying to get caught on a high-profile site.
- Script kiddies don't have any scripts for the "new" OS yet.
- It's new - so of COURSE it's going to take time to find the vulnerabilities. You think "one stunt, and that's it" is going to fix all their problems? You're more naive than I thought.
- Past record. How long does Microsoft take to acknowledge, let alone fix, the problems they find? W2K *will* have bugs. All major programs have bugs. The question is - will they efficiently and quickly inform their customers, and provide comprehensive support to them - like the 4-color glossies they distribute say?
- Many vulnerabilities are discovered at the console - and by looking at the source. It could be wide open, but you'd never know that from a remote perspective. Breaking into a system you've never seen or used remotely has about as much of a chance of success as me getting away with being called Rob Malda in this post.
That's just what I can think of off the top of my head. Use your imagination. And most importantly: dismiss yet another one of Microsoft's tricks to get you to do their bidding. Clever Microsoft, but I thought you'd have learned by now that the 'net dispels FUD faster than a speeding salesman.
--