[ale] Sunday 05-22-05 6PM RUN-AS-ROOT CHALLENGE

ChangingLINKS.com groups at ChangingLINKS.com
Wed May 18 04:27:46 EDT 2005 

 On Tuesday May 17 2005 18:02, Geoffrey wrote:
 > > CHALLENGE:
 > > 1. If no one can down/infect/harm my system for more than 20 minutes
 > > TOTAL - you fix (or have fixed) the 6 problems that I posted (and give me
 > > exact directions on how to apply the fixes myself.)
 >
 > You're on.

. At 1800 (6PM) on Sunday 05-22-05 the challenge will begin.
. I will setup my box like so: Internet -> broadband cable modem -> box
. I will drop all firewall rules 
. Geoffrey can confirm by phone that he has no problems reaching /
. I will leave the system open for 30 minutes
. During this time anyone on the ALE list can hack at my DAILY USE box
. At 1830 (6:30PM) I will restore the entire computer within 10 minutes.
. Finally, I will post the procedure for restoring the system as proof.

Overview of the system:
This challenge is similar to Bob Toxen's "expert hacker" challenge. Like him, 
I will give away the IP address. 

Unlike him, though, I will go much further:
 I will give everyone the root password
 I will be running as root the entire time
 I will drop all firewalls and typical security that I run
 I will NOT have a "hot spare" - or more than 1 hard drive in the box
 I will run a server including Apache, PHP 
 (Bob said it was very insecure awhile back), 
 MySQL, Perl, sshd (if I remember to start it)
 I will NOT add or remove hardware during or immediately after the challenge.
 Moreover, I will do my best to verify that ALL of you can reach root. 

For this challenge, I will be removing personal data from the system. My worry 
is not to protect it from loss, but since I will be giving FULL access to the 
entire box - and want to keep the private data private. Outside of the 
missing data, the lack of firewalls, and the direct connection to the 'Net, 
you will have direct access to the setup that I run everyday as root. I can't 
think of anything else that will aid my defeat. My point is that I will not 
try to hinder the hacking - I will let the box sit "insecurely." 
(Note: I have been having weird net connection problems for a week or two. 
It's been ultra slow. If there is a connection problem on Sunday, we can move 
the challenge to whatever time I can connect. The downtime is short-lived.)

Rooting for the visitors:
Some strategy is in order. Some of you may want to run rm -rf / as root while 
others may want to install some type of virus or trojan. I suggest you use 
this thread to coordinate that - so that you won't bump heads.



Challenge results:
The challenge will have no "tie." I will either restore the system back to 
clean state quickly (and outline how I did so), or I lose the competition.

IF I am unable to restore the system, I would like there to be a consequence. 
That's what makes challenges fun. Perhaps I can fund the pizza for the next 
Installfest ($100 worth) or something like that.

IF I am able to restore the system and explain what steps I did to make sure 
that it's "clean" and fully restored, Geoffrey will be responsible for 
providing me with clear instructions on how to fix the SIX problems (with my 
OS - not Gentoo :) ) that started this thread - within a reasonable amount of 
time. The six problems include and are limited to: 1. Unstable browser. 2. 
Reset mpu port to 300 3. Fix Gnutella  4. Get scanner working 5. Install IVTV 
driver 6. Get noteedit to produce sound 
I would like the instructions so that I can apply the changes *myself* (for 
security reasons and to learn the solutions). I will forward the journals 
that I kept on the issues and take significant steps to assist him.



My goals:
1. To get my system fixed within a reasonable amount of time.
2. To prove that I can safely run as root all of the time.

As you all know, I am NOT an expert. I don't like reading manuals much. Most 
of the time, I don't even fully understand them. I am not a professional 
system administrator. I am just a guy who uses Linux to get things done.
Thus, it should be easy for the group to defeat me in this challenge. 

I hope the most vocal anti-run-as-root crowd who sometimes come off as 
"know-it-alls" (i.e.: James Sumners, Jonathan Rickman, George Carless, Jason 
Day, Jerald Sheets, et al) will be available to participate. Moreover, in the 
event Geoffrey needs assistance, my hope is that the "RTFM, It's not a Debian 
problem" people will help him.
-- 
Wishing you Happiness, Joy, and Laughter,
Drew Brown
http://www.ChangingLINKS.com

More information about the Ale mailing list