[ale] Sunday 05-22-05 6PM RUN-AS-ROOT CHALLENGE

Jerry Yu jjj863 at gmail.com
Wed May 18 11:40:46 EDT 2005


how fast one can do complete recovery is totally irrelevant (how about your 
snapshot-by-the-minute backup actually starts to fail the night before or 
weeks before and you didn't know). 
In the real world (and/or in the wild), once an important system is down 
(between your unintended 'rm -rf /' and super-fact recovery), you have all 
kinds of losses in terms of systems availability, biz opportunity/revenue, 
goodwill/reputation/corp image/bad publicity, man-hour/over-time and other 
recovery related expenses. Facing that kind of music, I wouldn't be able to 
face myself, or peers, or boss or boss's boss, knowing that such a down-time 
is all avoidable only if I followed 'best practice' to perform a 
non-privileged action as a regular Joe instead of all-powerful superuser.

Again, on a not-so-important systems, knock yourself out.



On 5/18/05, ChangingLINKS.com <http://ChangingLINKS.com> <
groups at changinglinks.com> wrote:
> 
> On Tuesday May 17 2005 18:02, Geoffrey wrote:
> > > CHALLENGE:
> > > 1. If no one can down/infect/harm my system for more than 20 minutes
> > > TOTAL - you fix (or have fixed) the 6 problems that I posted (and give 
> me
> > > exact directions on how to apply the fixes myself.)
> >
> > You're on.
> 
> . At 1800 (6PM) on Sunday 05-22-05 the challenge will begin.
> . I will setup my box like so: Internet -> broadband cable modem -> box
> . I will drop all firewall rules
> . Geoffrey can confirm by phone that he has no problems reaching /
> . I will leave the system open for 30 minutes
> . During this time anyone on the ALE list can hack at my DAILY USE box
> . At 1830 (6:30PM) I will restore the entire computer within 10 minutes.
> . Finally, I will post the procedure for restoring the system as proof.
> 
> Overview of the system:
> This challenge is similar to Bob Toxen's "expert hacker" challenge. Like 
> him,
> I will give away the IP address.
> 
> Unlike him, though, I will go much further:
> I will give everyone the root password
> I will be running as root the entire time
> I will drop all firewalls and typical security that I run
> I will NOT have a "hot spare" - or more than 1 hard drive in the box
> I will run a server including Apache, PHP
> (Bob said it was very insecure awhile back),
> MySQL, Perl, sshd (if I remember to start it)
> I will NOT add or remove hardware during or immediately after the 
> challenge.
> Moreover, I will do my best to verify that ALL of you can reach root.
> 
> For this challenge, I will be removing personal data from the system. My 
> worry
> is not to protect it from loss, but since I will be giving FULL access to 
> the
> entire box - and want to keep the private data private. Outside of the
> missing data, the lack of firewalls, and the direct connection to the 
> 'Net,
> you will have direct access to the setup that I run everyday as root. I 
> can't
> think of anything else that will aid my defeat. My point is that I will 
> not
> try to hinder the hacking - I will let the box sit "insecurely."
> (Note: I have been having weird net connection problems for a week or two.
> It's been ultra slow. If there is a connection problem on Sunday, we can 
> move
> the challenge to whatever time I can connect. The downtime is 
> short-lived.)
> 
> Rooting for the visitors:
> Some strategy is in order. Some of you may want to run rm -rf / as root 
> while
> others may want to install some type of virus or trojan. I suggest you use
> this thread to coordinate that - so that you won't bump heads.
> 
> Challenge results:
> The challenge will have no "tie." I will either restore the system back to
> clean state quickly (and outline how I did so), or I lose the competition.
> 
> IF I am unable to restore the system, I would like there to be a 
> consequence.
> That's what makes challenges fun. Perhaps I can fund the pizza for the 
> next
> Installfest ($100 worth) or something like that.
> 
> IF I am able to restore the system and explain what steps I did to make 
> sure
> that it's "clean" and fully restored, Geoffrey will be responsible for
> providing me with clear instructions on how to fix the SIX problems (with 
> my
> OS - not Gentoo :) ) that started this thread - within a reasonable amount 
> of
> time. The six problems include and are limited to: 1. Unstable browser. 2.
> Reset mpu port to 300 3. Fix Gnutella 4. Get scanner working 5. Install 
> IVTV
> driver 6. Get noteedit to produce sound
> I would like the instructions so that I can apply the changes *myself* 
> (for
> security reasons and to learn the solutions). I will forward the journals
> that I kept on the issues and take significant steps to assist him.
> 
> My goals:
> 1. To get my system fixed within a reasonable amount of time.
> 2. To prove that I can safely run as root all of the time.
> 
> As you all know, I am NOT an expert. I don't like reading manuals much. 
> Most
> of the time, I don't even fully understand them. I am not a professional
> system administrator. I am just a guy who uses Linux to get things done.
> Thus, it should be easy for the group to defeat me in this challenge.
> 
> I hope the most vocal anti-run-as-root crowd who sometimes come off as
> "know-it-alls" (i.e.: James Sumners, Jonathan Rickman, George Carless, 
> Jason
> Day, Jerald Sheets, et al) will be available to participate. Moreover, in 
> the
> event Geoffrey needs assistance, my hope is that the "RTFM, It's not a 
> Debian
> problem" people will help him.
> --
> Wishing you Happiness, Joy, and Laughter,
> Drew Brown
> http://www.ChangingLINKS.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...




More information about the Ale mailing list