Anyone following the MS vs Linux hacker challenge?

[rycamor]

MS Test Server Crashes - Aug. 4, 1999 1:43 PM<br>

http://www.zdnet.com/zdnn/stories/news/0,4586,2309474,00.html<br>

<br>
To test their new operating system for network security, Microsoft issued an open challenge to the hacking community. Hackers and testers barely got a chance to break Windows 2000's security system because the test server crashed soon after it was put online, and was down for 24 hours. Since then it has been down more than up.<br>
<br>

http://www.windows2000test.com/<br>

<br>
To sort of rub dirt in MS's face, LinuxPPC ran a similar challenge, but they include a prize: if you crack it, you keep it: a PowerPC system with 160 MB RAM <br>
<br>

http://crack.linuxppc.org<br>

<br>
They even gave away a few clues like the ROOT PASSWORD, and so far over 25,000 attempts have failed to hack in.<br>
<br>
Gotta love it!

 

[mckarl]

cool.

 

[warmongr]

dido mckarl

 

[Scanner]

Most of the 25K attempts were probably people from Microsoft.

 

[Delton]

If most of the 25k attempts were people from microsoft, then it is no wonder their server crashed so badly. Maybe they still haven't gotten the message... stability and open source..

 

[rycamor]

OK, so the LinuxPPC system hung once, because the system ran out of RAM, but that's to be expected when everyone tries to use the server-parsed guestbook to crack in.<br>
<br>
BTW, telnet was running the whole time, and Jeff Carr even updated web pages while traveling.<br>
<br>
MEANWHILE...<br>
<br>
The M$oft system, with more than twice the capacity, crashed at least once a day, if not more, and was available only about 25% of the time I tried it.<br>
<br>
The status history contains a few gems such as:<br>
<br>
&gt;&gt;<br>
<br>
8/11/99 Events<br>
<br>
...<br>
<br>
20:00 - You aren't going to believe this, but ... after restarting the server, the system had a problem with the audio driver. This is a fairly new audio device type for the system. Updates to this device driver were made in the last few days. A new driver for the audio device was available from the developer. We updated the audio driver and restarted. <br>
<br>
We are trying out a fix for the high usage of non-paged pool memory.<br>
<br>
The high volume of network traffic (Thanks for all the attention!) is keeping the CPU usage near 100%.<br>
<br>
&lt;&lt;<br>
<br>
I guess the administrators stuck in their offices (no telnet) need to listen to something.<br>
<br>
I was led to understand that a good server NEVER shows 100% CPU usage, even with a saturated network, which I believe you will see in the LinuxPPC status log.<br>
<br>
Anyone know if there is any truth to the story that someone broke in to the W2K test system and altered the guestbook page? Apparently Microsoft dismissed it as irrelevant.

 

[sijones]

One name Bill Gates, ohh crap yes I said the name I think I better hang my self!<br>
<br>
Why doesn't he own up say his operating system is crap and start again, but this time give the linux community permission to do the programming, then he'll have a operating system.

 

[robherc]

hmmm.....let's crack it then.....MSW2K can't be much harder than DOS, W3.x, or W9x & I haven't been totally locked out of *any* of the above.....I don't even know much hacking!<br>
<br>
<br>
-Robherc

 

[robherc]

have downloaded ASP pages; will run through the works for loopholes into system tomorrow......executable, web-accessible files are the *easiest* way into a system...if *ANY* input is made executable (especially in translated files such as perl, cgi & asp) you can simply put your little gem nto that slot & dynamite the mouse-hole WIDE open!!<br>
<br>
(sysadmins take note: I *could* easily download your uid & password files simply by looking up the filename in your perl login script & downloading the DB...someone needs to get a clue: COMPILE IT BEFORE MAKING IT WEB_ACCESSIBLE; then it at least presents a _challenge_ to the non-ethical hackers out there [I'm DEFINATELY *NOT* ONE OF THEM THOUGH!]).<br>
<br>
<br>
-Robherc

 

[rycamor]

robherc,<br>
<br>
When you say you downloaded ASP pages, did you download the 'pre-parsed' ASP code, or the visible source? If so how?

 

[robherc]

da$& it!! I forgot that ASP is one of 2 diff. types of files that my prog. allows to execute before downloading....I just ended up getting the HTML that the ASP spit out......need to get a new prog, but oh well...don't do enough hacking to matter. I can downlod visible, readable perl sourcecode though....this makes finding password/UID databases EASY (have only used for tests...deleted info before reading).<br>
My software is Netbutler from acceleration software....if you see the cups & ball adv. at the top of a forum here; that's an advertisement for where I got it from; is free & *very* usefull; don't leave your desktop w/out it.<br>
<br>
-Robherc

 

[Spammy]

I found the Win2k challenge kind of funny. An out of the box linux distro running on a fraction of the computer Micro$oft had only was rebooted once. This box was maintained by one (i think) person versus a whole team M$ must have had trying to keep their server up. And I don't know how many times I have needed that dang audio card in my server. Was this test supposed to build our confidence in M$ products or give away market share?<br>

 

[robherc]

&nbsp;&nbsp;&nbsp;&nbsp;The worst thing about the Micro$~1 challenge is that it *NOT* at ALL realistic.....how many servers in the _world_ are going to be used for so little; _any_ real-life server is going to have more functions, and thus more exposure, than 3 ASP pages _including_ a text-only guestbook! NO real-live server that I know of runs entirely off of ASP pages & a DB for _all_ network-related tasks, in real life hacking is *way* easier than that!!!!!<br>
&nbsp;&nbsp;&nbsp;&nbsp;Hope to check out the LinuxPPC challenge server soon, please tell me I won't be as embarrased!!!!<br>
<br>
<br>
-Robherc

 

[rycamor]

The LinuxPPC server challenge is over, because their network was just a little too hammered. Remember, they probably don't have 1% the budget M$ has. They are still giving away the computer if you can reproduce their configuration and break in.<br>
<br>
crack.linuxppc.org wasn't really much more realistic than windows2000test.com: OK they had telnet enabled but not much more. Certainly no mail server or FTP.<br>
<br>
Hey guys, why don't we organize to do some more real-world type tests? Just a thought. Maybe include FreeBSD in the lot.

 

[robherc]

I have 8 different Linux distribs & FreeBSD.....I'll donate the software if everyone else can come up with the severs & URLs.....then maybe we can pool the knowledge, join together, and come up with some *real* answers to _real world_ security problems!<br>
<br>
<br>
-Robherc<br>
robherc@netzero.net<br>
AIM: robherc001

 

[rycamor]

I can probably come up with at least 1 or 2 IP addresses we can use, and I have an 'older' Pentium 100 we can use, plus I might get my hands on a Macintosh PowerPC to try and duplicate LinuxPPC's configuration, with a few more services running.<br>
<br>
I'll let you know next week.<br>
<br>
-Rick

 

[robherc]

Rick-<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;That sounds great; but I don't have the LinuxPPC software yet....have checked on it though: cost of CD direct from PPC is $25.00.<br>
&nbsp;&nbsp;&nbsp;&nbsp;The Pentium 100 should work well; I'm currently using one of those to run an installation of Caldera & it's going pretty fast.<br>
<br>
<br>
All-<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;Realistically; there are nearly 900 of us in here...that means if each of us gave $5 we'd have a total of $4,500.00 to get a few servers & URLs running; if some of us donate more than $5, or more than $5.00 worth of equipment/software, we can make something EXCELLENT (not to mention learning a *lot* about running *nix servers.<br>
<br>
<br>
<br>
-Robherc<br>
robherc@netzero.net

 

[rycamor]

I have a T-1 connection here, so I can download and write to CD any distributions needed. I will be glad to simply charge for media and postage.<br>
<br>
My time is limited right now because of a 'mission-critical' project, but I will probably be able to put up one server outside a firewall sometime in the next couple of weeks. Once my project is over, I will be dedicating a significant percentage of my time to learning and using *nix web applications.<br>
<br>
Looking forward to it. Let's face it: Unix is just more fun.

 

[mckarl]

god this is pretty cool, like a linux hacking gang.. that hack legally ... kinda turns me on .<br>
<br>
J/K..<br>
<br>
lets face it... security anywhere is shit... unless real sensitive data is there, take this place for example, i can give you any usernames password and e-mail address..<br>
<br>
Microsoft have to have cocked up somewhere!!! ... how about getting some inside info on their system though??..<br>
<br>
anyone got any system details??<br>
<br>
I mean for 4,500 ... we can pay off an insider of M$ )<br>
<br>
hehe... j/k. <br>
<br>
anone got any details??.. maybe i will take a look..<br>
<br>
Join the gang <br>
<br>
Karl.<br>
<br>
mc_karl@yahoo.com <br>

 

[mckarl]

by the way, i did tell the guys here about their crap security, ... my response was the protection was down, cos they are installing a new server?? <br>
<br>
Well.. it's taking them a long time!!<br>