Mailing List Archive

On Sun, 15 May 2005 00:13:13 +0300
Adir Abraham <adirab@gmail.com> wrote:

Wow, thats really cool. I hope there is somebody on this list who can wipe the smirk off of Gang Xiao's face (site admin). ;-)

- Ryan Lynch

> http://wims.unice.fr/wims/wims.cgi?session=SSF913912E.2&+lang=en&+module=adm%2Funice%2Fchallenge
>
> Has anybody tried to crack this page? Comments?
>
> Regards,
>
> Adir.
>
> --
> gentoo-security@gentoo.org mailing list
>
--
gentoo-security@gentoo.org mailing list

On Saturday 14 May 2005 22:13, Adir Abraham wrote:
> http://wims.unice.fr/wims/wims.cgi?session=SSF913912E.2&+lang=en&+module=ad
>m%2Funice%2Fchallenge
>
> Has anybody tried to crack this page? Comments?
>
> Regards,
>
> Adir.


Looks like an interesting way to gather information about how someone would
try to crack a server. "Honey" anyone? ;)


--
Rui Covelo
http://ruicovelo.no-ip.org

On 5/15/05, Rui Pedro Figueira Covelo <rpfc@mega.ist.utl.pt> wrote:
> Looks like an interesting way to gather information about how someone would
> try to crack a server. "Honey" anyone? ;)

well, of course, those challenges always serve multiple purposes... a)
test the security on the server, and b) learn about techniques used
against the security so that you can see how well your security stands
up to those techniques, and to see if there are techniques that you
haven't thought of, and perhaps should work towards defending against.

--
If, at first, you don't succeed, get a bigger hammer.

--
gentoo-security@gentoo.org mailing list

On Sunday 15 May 2005 23:29, Nathan Pinkerton wrote:
> On 5/15/05, Rui Pedro Figueira Covelo <rpfc@mega.ist.utl.pt> wrote:
> > Looks like an interesting way to gather information about how someone
> > would try to crack a server. "Honey" anyone? ;)
>
> well, of course, those challenges always serve multiple purposes... a)
> test the security on the server, and b) learn about techniques used
> against the security so that you can see how well your security stands
> up to those techniques, and to see if there are techniques that you
> haven't thought of, and perhaps should work towards defending against.

I've found somewhere on the 'net an interesting comment about security
challenges. I think it applies well to this situation.

http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-12/0140.html

regards,
pedro venda.
--

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

Pedro Venda wrote:
> On Sunday 15 May 2005 23:29, Nathan Pinkerton wrote:
>
>>On 5/15/05, Rui Pedro Figueira Covelo <rpfc@mega.ist.utl.pt> wrote:
>>
>>>Looks like an interesting way to gather information about how someone
>>>would try to crack a server. "Honey" anyone? ;)
>>
>>well, of course, those challenges always serve multiple purposes... a)
>>test the security on the server, and b) learn about techniques used
>>against the security so that you can see how well your security stands
>>up to those techniques, and to see if there are techniques that you
>>haven't thought of, and perhaps should work towards defending against.
>
>
> I've found somewhere on the 'net an interesting comment about security
> challenges. I think it applies well to this situation.
>
> http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-12/0140.html

I like to remember that "Quoting ... out of context ... is an art."

Or, put another way, maybe you need to re-read Bruce's essay. Bruce
was talking about crypto challenges, and about how there's no mathematic
value to a crypto challenge--it doesn't prove cryptographic strength.

There's a related, but very different, issue involved in a "crack into
this box" challenge. The point to remember is that, in such challenges,
it's not really a test of that box's security. It's a test of how good
the attacker is. It's a well-known axiom of information security that
any system which can be used legitimately can also be used
illegitimately. This is a only question of time and resources. The
details of what resources, and how much time, is left as an exercise to
for the reader.

As a security tool, penetration testing can be valuable when you have
good rules of engagement. There are no clear rules of engagement here,
making it very difficult to assess whether the security environment
meets your goals at an appropriate price and effort point to be
desirable. People who focus on being "impervious to attack"
misunderstand that security--in the real world--is undertaken for
economic reasons, rather than technical ones. It's a common
misunderstanding to see in technical security people, though... I think
it may be a feature of inexperience, perhaps not having roles carrying
responsibility for more than technical elegance.

This "crack me" challenge may be held out as a validation technique, but
that's not what it's doing. After seeing how the page worked, its
highest value seems to be to gather intelligence about potential
attackers and to learn more about attack techniques. It looks like a
nice way to pick up some exploit code for free.

Frankly, I think the more appropriate quote doesn't come from
Schneier... and it's nicely symmetrical for this message, since I quote
it far outside Nietzche's intended context.

"When you gaze long unto the abyss, the abyss gazes also unto you."

-Bill
--
William Yang
wyang@gcfn.net
--
gentoo-security@gentoo.org mailing list

On 5/15/05, William Yang <wyang@gcfn.net> wrote:
> Or, put another way, maybe you need to re-read Bruce's essay. Bruce
> was talking about crypto challenges, and about how there's no mathematic
> value to a crypto challenge--it doesn't prove cryptographic strength.

I thought Bruce's essay made several points that are valid even to non
cryptographic challenges. I think particularly points 2 and 3: "The
analysis is not controlled" and "Contest prizes are rarely good
incentives." Personally, it feels mostly like a marketing ploy to me.
The URL also links to a similar writing about hacker challenges, but
the page seems to have moved. I was able to find it in another
location with the help of Google:
http://www.ieee-security.org/Cipher/Newsbriefs/1996/960212.challenges.html

--
gentoo-security@gentoo.org mailing list

On Monday 16 May 2005 03:47, William Yang wrote:
> Pedro Venda wrote:
> > On Sunday 15 May 2005 23:29, Nathan Pinkerton wrote:
> >>On 5/15/05, Rui Pedro Figueira Covelo <rpfc@mega.ist.utl.pt> wrote:
> >>>Looks like an interesting way to gather information about how someone
> >>>would try to crack a server. "Honey" anyone? ;)
> >>
> >>well, of course, those challenges always serve multiple purposes... a)
> >>test the security on the server, and b) learn about techniques used
> >>against the security so that you can see how well your security stands
> >>up to those techniques, and to see if there are techniques that you
> >>haven't thought of, and perhaps should work towards defending against.
> >
> > I've found somewhere on the 'net an interesting comment about security
> > challenges. I think it applies well to this situation.
> >
> > http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-12/
> >0140.html
>
> I like to remember that "Quoting ... out of context ... is an art."

obviously, I disagree.

> Or, put another way, maybe you need to re-read Bruce's essay. Bruce
> was talking about crypto challenges, and about how there's no mathematic
> value to a crypto challenge--it doesn't prove cryptographic strength.

yes, I've read it.

> There's a related, but very different, issue involved in a "crack into
> this box" challenge. The point to remember is that, in such challenges,
> it's not really a test of that box's security. It's a test of how good
> the attacker is. It's a well-known axiom of information security that
> any system which can be used legitimately can also be used
> illegitimately. This is a only question of time and resources. The
> details of what resources, and how much time, is left as an exercise to
> for the reader.

no, I think it is very related. most of the points apply exactly to both
situations. the security contest referred in this thread is exactly "my
security system is totally safe. go ahead and crack it, I'm sure you can't -
if you do... congratulations, I'll write your name somewhere".

this doesn't seem to be "I'll reward the best cracker" but more like "I'm the
best! noone can crack my bulletproof system".

if the above is the real purpose of the contest... I also doubt.

> As a security tool, penetration testing can be valuable when you have
> good rules of engagement. There are no clear rules of engagement here,
> making it very difficult to assess whether the security environment
> meets your goals at an appropriate price and effort point to be
> desirable.

I read that on bruce's essay.

> People who focus on being "impervious to attack"
> misunderstand that security--in the real world--is undertaken for
> economic reasons, rather than technical ones. It's a common
> misunderstanding to see in technical security people, though... I think
> it may be a feature of inexperience, perhaps not having roles carrying
> responsibility for more than technical elegance.

ok, but taking security for granted can be much more expensive. elegant
technical security solutions are generally good methods and contribute for
system stability, fewer maintenance costs (this may be going too far) and
improved general network/subsystem security. generally such systems have
steep learning curves (SELinux comes into mind) but pay out well.

> This "crack me" challenge may be held out as a validation technique, but
> that's not what it's doing. After seeing how the page worked, its
> highest value seems to be to gather intelligence about potential
> attackers and to learn more about attack techniques. It looks like a
> nice way to pick up some exploit code for free.

agree.

regards,
pedro venda.
--

Pedro João Lopes Venda
email: pjvenda < at > arrakis.dhis.org
http://arrakis.dhis.org

Hi everyone,

This one has sparked my interest. Has anyone tried to install sysmask?
Any good?

Ryan Lynch wrote:

>On Sun, 15 May 2005 00:13:13 +0300
>Adir Abraham <adirab@gmail.com> wrote:
>
>Wow, thats really cool. I hope there is somebody on this list who can wipe the smirk off of Gang Xiao's face (site admin). ;-)
>
>- Ryan Lynch
>
>
>
>>http://wims.unice.fr/wims/wims.cgi?session=SSF913912E.2&+lang=en&+module=adm%2Funice%2Fchallenge
>>
>>Has anybody tried to crack this page? Comments?
>>
>>Regards,
>>
>> Adir.
>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>

--
gentoo-security@gentoo.org mailing list