Slashdot Log In
Microsoft /asks/ "Crack this machine"
Posted by
Hemos
on Tue Aug 03, 1999 10:31 AM
from the they-asked-for-it dept.
from the they-asked-for-it dept.
zealot writes "Apparently Microsoft wants people to try breaking the security on this site, which is running Win2k w/ IIS. There are some "rules" of engagement. " Basically, because it's not behind a firewall, it doesn't count to throw huge numbers of packets at it, but there are multiple users accounts-change stuff, look for hidden messages, or "get something you shouldn't have".
This discussion has been archived.
No new comments can be posted.
Microsoft /asks/ "Crack this machine"
|
Log In/Create an Account
| Top
| 683 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
m$ comments about javascript problem (Score:3)
[windows2000test.com]
message board
We have disabled the abilty of the Netscape browser to view our page for specific reasons. Please do not flame the messege board with comments pertaning to the inabilty to view the page in Netscape. Any comments relating to this should be directed at the Webmaster in charge of this page: jsmith@microsoft.com
A dreadful way to "prove" security (Score:3)
Gene Spafford (co-author of the O'Reilly book on security, many seminal papers on Computer security, and minder of such tools as Tripwire - the man knows what he's talking about) had this to say some years ago on security challenges:
http://www.netsys.com/fire walls/firewalls-9511/0743.html [netsys.com]
He lists so many good reasons (eight) to distrust this sort of challenge that it is difficult to summarise the message here. Best to click and read it yourself.
The point goes for every package where the author tries to "prove" security in this way - be it Sidewinder, Qmail or Microsoft. In many cases, the only result is to damage security by giving miscreants some "free time" to try and crack the system, for free, without fear of punishment.
Tiger teams have their place in a properly designed, properly managed security audit. Using unpaid tiger teams as the principal means is useless and dangerous. Will Microsoft move to assure its customers that this is simply a small part of a large, thorough security audit?
Dave--
I'm surrounded by hypocrites. (Score:3)
Do you get paid to find and report holes in Linux? Huh? Unless you work for a company that sells their own distribution and therefore it's your actual job, then no, the majority of you don't. So just what is the source of this stuck-up, arrogant, anti-Microsoft attitude? So what if Netscape won't read the page? I'd think that would be Netscape's fault, but no, you insist that the blame is to be placed on Microsoft. My Microsoft web browser doesn't choke on Javascript. Netscape's browser does. Netscape is the obvious problem here.
The open-source community has been calling for Microsoft to do something like this for a long time now. Microsoft is begging for you guys to show them what you're talking about when you say "Windoze sux". If Windows sucks so much, it shouldn't be any trouble to knock out that IIS box, should it? Huh? Then why are you wasting time complaining? Get over there and kill that sucker! And while you're at it, if you want an even easier challenge, you're more than welcome to try and kill my own Windows 2000 beta 3 web server. I haven't optimized it for security, because I don't see any need to. It's on a tiny pipe, and it'd probably be a snap to wipe that sucker out. Go for it! Go kill http://wonko.com/ [wonko.com] and then let me know [mailto] about it! Tell me how lame my system was and how easy it was for you to crack it. Go on! I dare you. :)
--
Wonko the Sane
LinuxPPC asked crack this machine! (Score:4)
It's running apache only. If no one gets in for awhile, we will start adding services( sendmail is first)
(You might have to wait for DNS to update in an hour - the IP is 169.207.154.108
Re:Anti-Microsoft for no good reason? (Score:4)
They're just grandstanding and posturing, trying to prove that Windows 2000 is secure. Its win-win for them -- free high-level security testing (which unlike Beta testing, is something that is generally VERY expensive to contract out for), if it gets cracked, then they get an early warning and time to fix the problem, and if they don't their marketroids will have that nugged to get their paid-off "independant" columnists to write about.
All while people are wasting time to save Microsoft money developing a product that they're going to charge exorbanant licensing fees for.
Seems kind of stupid for anyone to waste their time on it. Get your own copy of Windows 2000, crack THAT, and post THAT exploit all over the net. That puts Microsoft in their place, and doesn't help them screw people over even more.
Re:Javascript Dies in Netscape (Score:3)
It seems that netscape is trying to execute this function before loading the DIV, while IE (and Mozilla) has either loaded it already or scanned the file to find that object.
As for what is correct in this situation, it would have to depend on when the "onload" function should be called -- before the page is fully loaded or after. IMHO, I'd probably have to say that IE and Mozilla are probably doing it right (no error vs. error).
I don't know why there is a spacing problem in Netscape (but I wouldn't be too surprised if it's intentional). Anybody know if Netscape or IE is interpreting the HTML "wrong" (please don't define "right" as what netscape does -- define it as you'd expect a browser to behave)?
Why this is BS (Score:3)
xm@GeekMafia.dynip.com [http://GeekMafia.dynip.com/]
Oops (Score:3)
Re:Real security for 2000 and beyond? (Score:3)
Thoughts from a grey-hat (Score:3)
If any of the attacks succeed, they have a trace of the crack, and can build better security for the final release of NT2000. This is good, because I'll have those pieces of shit installed all over my networks soon enough.
They also get to harvest IP addresses of everyone stupid enough to try even looking at this machine. Even a simple traceroute will give them a source IP address. Toss them all into a big database at a later date, couple it in with some other data about the attack type, and wait to use it later to track crackers. Offline analysis is a powerful tool, couple it with automated lookups and a simple knowledge based system, and you could populate a DB with some dangerous data.
For the paranoid, perhaps there has been a nasty break-in by some sophisticated infocriminals (love that new word, see HNN), and the FBI are also sitting in the room with their own analyzers, waiting for someone to try a similar attack. Assuming the crackers are just some misguided wanna-be scripties, this could help the FBI to back track to them. The cracking contest is just a combination of marketing fiasco and FBI clue gathering mission. The FBI are probably not even looking for anything they could use in court, just some leads to track down.
Given the lack of any other services on the machine, and the simplicity of the web pages (no DB or useful cgi-bin), and the quickly hacked together javascript errors, I would say this is mostly a marketing exersize. No matter what the outcome, they can spin it into some hype and a FUD campaign.
the AC
Conspiracy Theory... (Score:3)
1) They are tricking us into hosing a Linux box,
2) They have ported IIS to Linux and are testing that configuration, or
3) The scans are coming back incorrect.
I hope for the sake of the Linux comunity that it is (3) rather than the first 2. Man, think of the bad press for Linux!
Smart move for Microsoft (Score:4)
- Nothing breaks it, and this becomes a marketing high-point for Microsoft - It gets broken, and Microsoft engineers now have solid data (vice anecdotal) as to where the problems are. Especially if this was compiled with the debug option switched on.
Christopher A. Bohn
Re:m$ comments about javascript problem (Score:3)
Top Ten Specific Reasons Why Only MSIE Users Can View Microsoft Cracking Challenge
10. If you're doing lame browser detection, MSIE is fewer letters to type than Netscape, Mozilla, or even Opera.
9. Similarly, "JScript" is shorter than "JavaScript".
8. AOL^H^H^HMicrosoft is the Internet.
7. We left our copy of FrontPage at the default settings. But don't worry, it will all be fixed in FrontPage 2005.
6. We fear the mighty /. effect, and those fanatics wouldn't be caught dead using Exploder.
5. VisualBasic is more powerful and efficient than C++.* Likewise, Internet Explorer has that comforting familiar Microsoft Windows interface, so you don't have to learn that arcane, complicated Netscape setup.
4. You can't crack our powerful enterprise-level Microsoft(tm) Windows(tm) server if you can't read the rules we made up, nanny nanny boo boo.
3. We're weenies. We couldn't write "Hello world" in HTML, let alone use scripting languages.
2. 3l337 hAx0r d0oDz swear by MSIE.**
And the number one reason why only MSIE users are permitted to view the Microsoft cracking challenge is... drumroll, please...
1. Somehow the demo site was interfered with. Give me another chance, your honor.
*Editor's note: Microsoft actually says this on another page.
**Editor's note: swear at, more likely.
Why Hackers might be kvetching... (Score:4)
Some people yelp, "Screw Microsoft, let em do their own dirty work."
Others tut tut, "This is just like Open Source! This is a step in the right direction."
What to do!?! Is Microsoft challenging us to stick by our Morals? Or are we being "used" by a corporate entity. Even worse, are the logs of this attempt at hackign the system going to represent evidence?
#1. If you can't avoid a simple tcp/ip packet sniffer from tracking you down, then you are unlikely to be the ones the FBI cares about.
#2. If you believe that this is closer to open source than before, try a breath deep too. Oxygen is good. Yes.. It burns stuff... Anyone can torture test any product they buy. There is nothing open source about that. The issue of Open Source is that modifications we as hackers might make after finding bugs, are owned by the community, as is the original software to some extent. The notion that this method of security analysis is any different than normal practice of Microsoft is laughable. The question is HOW the software is being tested, not WHO is testing it.
#3. I will note that it is rare for a Linux machine to HAVE to be advertised to be crashed. That is because if you want to test out a security flaw you can create your own test machine with no cost. Thats the joy of OPEN SOURCE. You can truly know what you are getting, try it before spending money, and even fix problems yourself rather than having to wait for a company to respond to your bug report.
#4. I still have doubts that this product ever will exist. The fact is that if no one hacks the software, then Microsoft can claim their non-released software that probably will not be really implemented before some serious bug fixing, is secure within the context of 1999's security issues and protocols. With new services being added regularly and custom software being thrown into the mix, this is relatively vapor ware benchmarking...
Whatever,
dlg
Contest? (Score:3)
I haven't read the "rules", but I wonder if everyone will follow them.
Nonsense. (Score:3)
Exactly how is this "challenge" intriguing? Cracking contests are a dime-a-dozen these days, which is interesting because they demonstrate almost nothing about security. (See this essay [counterpane.com] to undestand why.) If you believe that the nature of the open-source community is to fall for tricks like that then you have drastically underestimated this community. Most of the audience here doesn't get paid to find and report security holes in Linux or NT. However, if you find a security hole in Linux the result of your work will be made available to you and everyone in the Linux community at no charge through the efforts of volunteers like Torvalds and Cox. If you make the same effort for NT on the other hand, Gates is sure to offer you the opportunity to pay for the improvement whenever Win2K manages to surface without seeing it's own shadow.
I'm not sure what you mean when you say, "The open-source community has been calling for Microsoft to do something like this for a long time now." As far as I can tell, no one has asked for Microsoft to offer us an opportunity to allow us to support their development and marketing efforts without compensation. Sorry, but now that the opportunity is here, I'm still not impressed. It probably would be easy to knock down the Win2K test server (I can't seem to get through to it so perhaps someone already did), and yours as well -- but I don't much care. I use Linux because it is the most stable and effective operating system that meets my computing needs, not as a protest against some other system. I choose to direct my attention to constructive activities -- attacking a system that isn't even in production without source code or specifications doesn't qualify.
Microsoft (Score:3)
Do GPFs count as "hidden messages"?
The goal is to see how a properly secured machine will stand up to attack. These machines are configured to prevent known attacks.
With a cookie-cutter operating system like Windows, you'd think they'd make the default configuration as resistant as possible to known attacks.
Anti-Microsoft for no good reason? (Score:5)
If you don't want to help Microsoft out, that's one thing, but you can't deny that this is better for the hoards of people who will be running this thing.
The Fallacy of Cracking Contests (Score:3)
The Fallacy of Cracking Contests [counterpane.com]
--
Re:Javascript Dies in Netscape (Score:3)