Re: 263's Computer Hacking Competition
 

They could do a 36 hour perpetual weekend session ( :ahh: ) instead of just 12 hours...

Re: 263's Computer Hacking Competition
 

Ill stock up on caffiene pills, soap, shirts, and drinks. You know suddenly im remembering the thread with how much soda will kill you. Who wants to test that calculator?

Re: 263's Computer Hacking Competition
 

I like the 36 hour idea. But maybe you could plan it for mid-december so that we don't have to worry about school and focus on the h4xin9. January would fit better for my school schedule (I have an obscenely long break), but that would cut into build period.

Re: 263's Computer Hacking Competition
 

Quick idea for after this is over (or maybe in place of this, something like that)...

A programming challenge in the same format as this. You don't know what you have to do until the first day and everything has to be made from scratch (no pre-made libraries). To make it really interesting, a combination of languages/platforms. EG: Have a client program that has to interact with a web program. Points for cross-OS compatibility and/or cross-database compatibility (having a nice sql abstraction layer that could work with both MySQL, MsSQL and PostgreSQL).

Re: 263's Computer Hacking Competition
 

Kernel recompiling really can only be done during grace period. If you can't get it done before then, though. We'll be there to catch your computer if your kernel doesn't reboot so backup your old kernels. The reason for lack of rebooting in the open season is so if you see someone rooting your box, you can't just reboot to stop them. Or reboot multiple times to avoid attacks, etc.

Good question. I was thinking of a network service that in some way is vulnerable to a buffer overflow. You can change that up a bit, make the client and server do a bit of handshaking or something, it's up to you. But it must be exploitable by a buffer overflow. Anything else is a bit beyond our scope I'd guess. Don't pull any funny stuff, and you can expect a good outcome on this part. And keep it simple too. Anything over 200 lines is way too excessive.

Why don't we do both? We can do the multiple small periods now, and then the longer game later. We need to hammer the rules out anyway and what better way to find weaknesses in rules than to actually play the game? Who knows, we may even get good enough to assemble a few teams to play the real roothack.

Re: 263's Computer Hacking Competition
 

If you want to be involved, PM me your email address. We're getting this thing going as soon as we can get teams and start talking about dates.

Re: 263's Computer Hacking Competition
 

This is a good, yet dangerous, idea! I want to participate!

Re: 263's Computer Hacking Competition
 

Then PM me your email. :) sciguy125 needs a team too, so you might want to PM him as well.

What about this for the vulnerable network service idea? I'll (or if you want to, you can as well, and we'll decide) write the vulnerable network service that you can choose to run. Running it as an unprivileged user will get you 50 or so points, but running it as root will get you 100 or so. If we think this is a good idea, I'll start writing it now.

Re: 263's Computer Hacking Competition
 

Do you have any details about how we will be connecting to the LAN. Much of my strategy seems to revolve around how much access I have and how I gain this access. Will we all get accounts on some sort of portal? Maybe there will just be some kind of router that we connect through?

Re: 263's Computer Hacking Competition
 

You act as though stack guard solves the problem... Most of the time it just convolutes it.

Re: 263's Computer Hacking Competition
 

Sure. The network is a home network off of a standard linksys router. You will connect into a gateway box (your team will have one fairly limited account on this box). You'll be able to compile stuff and run stuff on this box. Now that you're in the lan you can ssh into your team's computer. We'll assign IPs beforehand. There should be no need to scan the entire network, and if you do, we'll consider it an attack and kick you off the network. Any attacking to the gateway box will result in your team's immediate disqualification. We'll secure it as we see fit, but the real key is us watching you. We have access to all of your data thoughout this entire competition. Don't use passwords you normally use, and if you have anything you don't want anyone else to know, don't bring it there. There will be other computers on the lan, don't touch them, or arp poision them or anything. Any evidence of this will result in immediate disqualification.
It complicates solving buffer overflow attacks. If you're running vulnerable program xyz and it's stackguard compiled, I doubt many of us have the skills needed to get around that. This isn't a test of super hackers, this is just a bunch of FIRSTers trying to learn more about computer security. But, if you feel you have the skills necessary, by all means, join in the competition and teach us a thing or two. ;)

We'll be setting up the computers this Friday and we'll be having a meeting in IRC starting at 4pm (this may change, we'll see). We're #aftershock on irc.freenode.net. If you want to have a say in the games, go there then, and we'll chat. We'll be arranging times and dates then too. It's impossible to adjust to everyone's busy schedule, but hopefully at least one member of your team will be able to participate at any give time. Just a reminder: we're doing this piecemeal. Grace period will be one four hour block one day. We'll discuss afterwards if you really need more time or any other concerns you may have. (Remember, you get bonus points for every minute before the end of grace your team finishes :))

Re: 263's Computer Hacking Competition
 

What timezone?
That seems short. Depending on the system, it could take over an hour just to compile the kernel. Not to mention the time it'll take to explore the system and patch holes.

Re: 263's Computer Hacking Competition
 

EST (UTC -5). We've decided to have a meeting tomorrow at 8pm EST if you can't goto the Friday meeting. If you can't go, feel free to ask the questions here.
What I was planning on was doing the four hour session and then all of us evaluating what we've done. In all likely hood we'll need another four hour (or maybe five if we can squeeze it), but we'll see when we do it. I doubt your kernel compile will take that long on these computers, but I don't know what computers Rob (the_unknown) is using right now. We'll see. But, if you're strapped for time, won't that make the competition interesting? :)

Re: 263's Computer Hacking Competition
 

What are the specifications for backdoors or for the vulnerable network service. I think it would be cool to write our own vulnerable network service to meet your specs. The closer you follow the specs(including specs on vulnerabilities) the more points awarded.

Also, can we write/download an IDS?

Re: 263's Computer Hacking Competition
 

Just to throw out some ideas:

-It must provide a service (echo, date, it can add two numbers together, etc).
-It must be TCP, not UDP.
-It must be less than 200 lines.
-It must be susceptible to an exploitable buffer overflow exploit. Now what consitutes that is a matter of debate, but keep it simple, and you can get credit for this.

If you like this idea, join the competition and talk to us in IRC tomorrow or Friday.
Yep. Definite bonus points if you write one, though.