Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hack IIS6 Contest

CmdrTaco posted more than 9 years ago | from the get-your-crackz0r-on dept.

545

ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "

Sorry! There are no comments related to the filter you selected.

GNAA FIRSTUS POSTUS (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12444277)

IMPERIUM NEGRUM RECTUM

and done. (4, Funny)

michaelhood (667393) | more than 9 years ago | (#12444278)

i win!

Re:and done. (4, Funny)

Mz6 (741941) | more than 9 years ago | (#12444293)

...done here too. Just changed it back to the original. Where's my Xbox?

Re:and done. (0)

Anonymous Coward | more than 9 years ago | (#12444330)

Nop, you lose, from the rules ::
Not to reveal any mention of hack success for 24 hours to anyone but the hackiis6.com email address listed above.

Re:and done. (0)

Anonymous Coward | more than 9 years ago | (#12444492)

Here's the URL for a graphics free version:

http://www.hackiis6.com/%5C/%5C/%5C/%5 C///%5C/%5C/%5C/%5C/%5C/%5C/%5C/

webserver (1, Funny)

Anonymous Coward | more than 9 years ago | (#12444285)

is it running standalone apache?

Does DOS attacks count (4, Funny)

CrazyJim1 (809850) | more than 9 years ago | (#12444290)

If so, I think Taco deserves the Xbox.

No a DOS does not count, slashdot is out :) (4, Informative)

thrill12 (711899) | more than 9 years ago | (#12444387)

A successful hack does not include:

1. External denial of service attack against web server computer, or any participating vendor, or device. Denial of service attacks due to successfully modified content on web server computer are fair game.


They counted on that one :)

Already defaced (0, Troll)

Lispy (136512) | more than 9 years ago | (#12444291)

Nothing to see here... ;)

We may not be able to hack it... (1, Funny)

aftk2 (556992) | more than 9 years ago | (#12444297)

But after being posted on Slashdot, in about fifteen minutes, we'll have done on the next best thing!

won't take long.... (-1, Flamebait)

prof666 (787759) | more than 9 years ago | (#12444302)

duh hack IIS...well that challenge will take all of 15 mins then...

Re:won't take long.... (5, Insightful)

ozric99 (162412) | more than 9 years ago | (#12444432)

I hear this all the time, mainly from high-school kids or the kind of immature person who thinks they're a computer guru because they use IRC or download "warez". So.. If this is so easy, go ahead. You said 15 minutes but to be fair I'll wait a couple of hours. If I don't see a message like "hacked by prof666" on the front page I'll assume you're a karma-whoring troll with about as much tech-savvy as my young, "guru" relatives.

I may have migrated our web servers from IIS4 on NT4 to apache on debian as soon as I got the chance but that doesn't mean I'm not able to call bullshit on typical wannabe geeks slating MS software with no real knowledge of why they're slating it.

Re:won't take long.... (2, Insightful)

CausticPuppy (82139) | more than 9 years ago | (#12444500)

duh hack IIS...well that challenge will take all of 15 mins then...

Apparently not.

Done (0, Redundant)

bmiller949 (681252) | more than 9 years ago | (#12444304)

No need to hack it, it has been slashdotted... same thing :)

And who is to say (3, Interesting)

Gentoo Fan (643403) | more than 9 years ago | (#12444308)

that if someone did hack it, the admins will reset it quickly and block the particular method?

Re:And who is to say (3, Funny)

uucp2 (731567) | more than 9 years ago | (#12444377)

Isn't that the entire point of the contest? At price of one Xbox per hole plugged...

Re:And who is to say (4, Interesting)

NetNifty (796376) | more than 9 years ago | (#12444415)

IIS isn't open source and as a result of that it's going be difficult to fix some holes without it being noticed (like for example a buffer overflow might be fixable by disabling something, but if that thing you're disabling is ASP handling, it's gunna get noticed) or help from MS.

Physical Access (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12444309)

Just find out where it is located and gain physical access, Windows is not hard to crack at all once you have attained that level of access. While this isn't really fair, and probably not worth it since the price of an airplane ticket is probably higher than the cost of the Xbox, it would still be very interesting. Plus it would likely require an immense amount of social engineering... but still it doesn't seem like it would be much of a challenge.

Re:Physical Access (4, Informative)

Medgur (172679) | more than 9 years ago | (#12444358)

From TFA:
"A successful hack does not include:
  1. External denial of service attack against web server computer, or any participating vendor, or device. Denial of service attacks due to successfully modified content on web server computer are fair game.
  2. Attacks or modifications of any computer or device besides web server or database computers.
  3. Attacks involving external domain naming services.
  4. Publishing readily available directory or file listings without accessing or modifying files on the web server or database computer.
  5. Physical attacks."

Re:Physical Access (1)

RzUpAnmsCwrds (262647) | more than 9 years ago | (#12444420)

"Windows is not hard to crack at all once you have attained that level of access."

Well, no shit sherlock. Every OS, including Linux, is easily crackable if you have access to the hardware.

Re:Physical Access (1)

scooby111 (714417) | more than 9 years ago | (#12444434)

That's got to be the dumbest thing that I've heard of. I hope you're being sarcastic. No system is even remotely safe without physical security. I can guarantee to you that I can hack nearly any computer ever invented if I can get access to it physically.

Re:Physical Access (1)

MrByte420 (554317) | more than 9 years ago | (#12444504)

Read the Rules buddy...

Hmm.. (-1)

Henk Poley (308046) | more than 9 years ago | (#12444314)

Re:Hmm.. (1)

Henk Poley (308046) | more than 9 years ago | (#12444342)

Never mind.. I should have read the page, code and the replies.

Now go mod me down :-P

Yeah, ok (1)

IoN_PuLse (788965) | more than 9 years ago | (#12444390)

Did you look into that post? I mean, it's a joke, or to someone who actually believes it, a bad day =)

Re:Hmm.. (1)

GrassMunk (677765) | more than 9 years ago | (#12444398)

Someone please run this code? Im stuck on my win machine, run it and let me know what happens ;)

Request for anyone trying this (4, Funny)

goldspider (445116) | more than 9 years ago | (#12444315)

Please please PLEASE replace the home page with our favorite ring-bearing orifice stretcher!

Re:Request for anyone trying this (3, Funny)

Craig_P92669 (875776) | more than 9 years ago | (#12444352)

Why would you want to put a picture of Bill Gates on it?

Re:Request for anyone trying this (0)

Anonymous Coward | more than 9 years ago | (#12444400)

SCORE!

Re:Request for anyone trying this (3, Funny)

Anonymous Coward | more than 9 years ago | (#12444457)

*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*
g_______________________________________________g
o_/_____\_____________\____________/____\_______o
a|_______|_____________\__________|______|______a
t|_______`._____________|_________|_______:_____t
s`________|_____________|________\|_______|_____s
e_\_______|_/_______/__\\\___--___\\_______:____e
x__\______\/____--~~__________~--__|_\_____|____x
*___\______\_-~____________________~-_\____|____*

....just kidding ;)


# Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) # If you want replies to your comments sent to you, consider logging in or creating an account. Problems regarding# Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) # If you want replies to your comments sent to you, consider logging in or creating an account. Problems regarding accounts or comment posting should be sent to accounts or comment posting should be sent to

And if you can hack the XBox (5, Funny)

drmarcj (807884) | more than 9 years ago | (#12444319)

You get sued!

Forget XBox... (0, Offtopic)

mikvo (587789) | more than 9 years ago | (#12444321)

...I want a free lightsaber.

How long (3, Insightful)

ceswiedler (165311) | more than 9 years ago | (#12444322)

If they leave it up permanently, I'm sure it will be hacked once the next exploit is available. It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently, as new exploits are found.

If this is a test of IIS's security (for example as opposed to Apache) they should make it an ongoing test, and measure it not by whether it was hacked within a certain short time period, but how many times it is hacked over a long period of time.

Re:How long (5, Insightful)

PhoenixK7 (244984) | more than 9 years ago | (#12444464)

Yeah, frankly I don't really see the value in this. If someone doesn't hack it, it means nothing, this isn't a real-world test where the machine is only up for what, a week? This proves zero besides the machine was constantly being patched up and no new exploits were found that weren't patched during that time. What would be impressive would be if they left it up UNTIL someone cracked it. If that machine could stay up for a few months, say, maybe a year before being hacked, that would be much more useful as a statement about the security of the system.

This is really just a publicity game. If makes MS look good if it makes it through the week, but it doesn't really prove that their software is secure.

On the other hand, if they DO get hacked, that would look pretty bad. But.. who'se to say they haven't totally locked that thing down to the point where it's both not really representative of a "normal" server.

*shrug*

Re:How long (2, Insightful)

weopenlatest (748393) | more than 9 years ago | (#12444476)

It's not impossible to secure a system like IIS, but it's much more difficult to make it secure permanently, as new exploits are found.
Just because exploits aren't found, doesn't mean they're not there. You can't say a system is secure just because it's not vulnerable to known bugs. If a bug is posted tomorrow that makes all IIS servers vulnerable, it doesn't just mean that those servers are vulnerable tomorrow. They're also vulnerable today.

Check out the rules (5, Funny)

dtfinch (661405) | more than 9 years ago | (#12444324)

Contest open to anyone at least 18 years old as of date of entry.

There goes 3/4 of the most qualified contestants.

Does DDoS'ing it count? (1)

El_Smack (267329) | more than 9 years ago | (#12444325)

Cause if it does, we all just won XBoxes!

Re:Does DDoS'ing it count? (1)

DarthVeda (569302) | more than 9 years ago | (#12444414)

No I think the submitter wins.

If I could hack IIS6 .. (5, Insightful)

grazzy (56382) | more than 9 years ago | (#12444326)

I sure as hell wouldn't give that knowledge away for a Xbox...

Re:If I could hack IIS6 .. (1)

mule007 (767116) | more than 9 years ago | (#12444403)

My thoughts exactly..

I think if companies are expecting any kind of useful results from these hacking contests, they're going to have to pony up some serious incentives to draw the serious hackers. An xbox as a prize is just laughable.

Re:If I could hack IIS6 .. (1)

the MaD HuNGaRIaN (311517) | more than 9 years ago | (#12444463)

Mod parent up.

I mean, really. I guess they're aiming for the 12 year old uber leet haxors [afterdawn.com] with a prize like that.

If you want to attract serious attackers, give a worthy incentive.

What about Apache? (0)

Anonymous Coward | more than 9 years ago | (#12444328)

Such a contest is a nice way to test the reliability/security of a system. I would love to see a www.hackapache.com or something that invites the users to hack Apache + Some FTP server.

Just to see how well it stands against IIS. I guess the problem would be the os... because hacking Apache under a secure (that is non-MS) OS wouldn't give you much to do.

Oh! How I love to have my doors open by installing insecure software!

Anyone has an exploit for IIS6 i can use (1)

Eglis (219433) | more than 9 years ago | (#12444333)

Anyone has an exploit for IIS6 i can use, i really need this xbox and i don't have enough money to buy one on ebay :(

When is the Hack Apache contest? (4, Interesting)

NavySpy (39494) | more than 9 years ago | (#12444344)

I wonder when the "Hack Apache" contest will be held.

Re:When is the Hack Apache contest? (1)

glam0006 (471393) | more than 9 years ago | (#12444519)

Where have you been for the last 10+ years?

Slashdot Effect! (0, Redundant)

CypherXero (798440) | more than 9 years ago | (#12444346)

Oh yeah, I claim this attack method! I won!

no one will do it (1)

TheKubrix (585297) | more than 9 years ago | (#12444348)

Description of how hack was accomplished

Thats giving away trade secrets that are worth far more than a lousy Xbox....

If someone does... (1)

Virtual Karma (862416) | more than 9 years ago | (#12444357)

What if someone does and they sue them for the act? Whos going to take the risk?

pfff... (2, Funny)

nubbie (454788) | more than 9 years ago | (#12444360)

rather see them hack http://microsoft.com [microsoft.com] .

Re:pfff... (1)

rvw (755107) | more than 9 years ago | (#12444470)

Don't they use Linux for their website?

The only problem with this contest.... (4, Funny)

NecroPuppy (222648) | more than 9 years ago | (#12444361)

Is that the winners get X-Boxes....

Hack? Or crash? (-1, Troll)

hacker (14635) | more than 9 years ago | (#12444362)

I know of a nice simple one... just add the following tag outside your starting html tag in any static HTML page, and it will crash any and all versions of MSIE:
<input type>
<html>
...
</html>

Doubt me? go here [gnu-designs.com] with MSIE and see for yourself. Yes, it even crashes MSIE running in Wine.

Re:Hack? Or crash? (1)

cosinezero (833532) | more than 9 years ago | (#12444394)

Doesn't crash mine... IE 6.0.28

Re:Hack? Or crash? (1)

nubbie (454788) | more than 9 years ago | (#12444395)

Can't say it works. Version: 6.0.2900.2180.xpso_sp2_gdr.050301-1519

Re:Hack? Or crash? (1)

nberardi (199555) | more than 9 years ago | (#12444411)

What are you talking about dude, I just went there with IE6 and nothing happened. Is this a joke or something? All that I saw was a text box with some text that said "MSIE crash, go BOOM!". You guys really make me laugh any idiot can put an anti-Microsoft page out there and you will flock to it like it came from god him self.

Re:Hack? Or crash? (0)

Anonymous Coward | more than 9 years ago | (#12444418)

6.0.2800.1106 seems to have no trouble.

-theGreater.

Re:Hack? Or crash? (1)

Malc (1751) | more than 9 years ago | (#12444421)

Huh? Why are you talking about MSIE when the story is about MSIIS?

Um, no (1)

Safety Cap (253500) | more than 9 years ago | (#12444427)

Running IE 6 on Win XP + SP2, works just fine.

Re:Hack? Or crash? (0)

Anonymous Coward | more than 9 years ago | (#12444428)

That would almost be interesting if it worked.

Re:Hack? Or crash? (0)

Anonymous Coward | more than 9 years ago | (#12444438)

You really shouldn't post incorrect information like that with your +1 modifier because it makes you look like an idiot.

Re:Hack? Or crash? (1)

XpirateX (691224) | more than 9 years ago | (#12444446)

Doesn't crash my copy of IE6.

Re:Hack? Or crash? (1)

telecsan (170227) | more than 9 years ago | (#12444459)

Hmmm...you must be running an old version of MSIE, then. Just checked the page (IE6, XP Pro) and it works just fine. Smoking something strong, are we?

Re:Hack? Or crash? (0)

Anonymous Coward | more than 9 years ago | (#12444462)

Your code does not crash MSIE 6.0.2800.1106.

Re:Hack? Or crash? (1)

birdwax2k (787311) | more than 9 years ago | (#12444467)

Yeah...ummmm...that doesn't happen to me

Re:Hack? Or crash? (0)

Anonymous Coward | more than 9 years ago | (#12444469)

it will crash any and all versions of MSIE

Except the one I'm running, apparently.
6.0.2800.1106.xpsp2.050301-1526
Handles the page identically to Firefox 1.0.2 on the same machine.

All that aside, I fail to see how crashing an application on your local computer would constitute "hacking a web server" by any means. Or, were you just itching for an opportunity to post that on Slashdot and this was as close as it got for you?

Re:Hack? Or crash? (0)

Anonymous Coward | more than 9 years ago | (#12444471)

didn't crash my ie6...

Re:Hack? Or crash? (0)

Anonymous Coward | more than 9 years ago | (#12444480)

when you say "and it will crash any and all versions of MSIE", do you mean it will crash any and all versions of MSIE except the one I happen to be using?(6.0.2900 by the way)

And what does crashing IE have to do with the security and/or vulnerability of a web server?

Re:Hack? Or crash? (1)

XMyth (266414) | more than 9 years ago | (#12444483)

1) No, doesn't crash IE 6.0 on XP SP2.

2) We're talking about IIS not IE.

LOL! (4, Funny)

vectorian798 (792613) | more than 9 years ago | (#12444363)

I like how under the list of 'What Is Not Allowed' it lists:
5. Physical Attacks

Because, you know, us axe-murderer geek slashdotters were going to charge into the building where the server is and hack away using our cleaver 2d6.

WTF? (5, Funny)

Some Random Username (873177) | more than 9 years ago | (#12444506)

Where did you get a cleaver that does 2d6? If I knew kitchen utensils did that much damage I would have tried playing a chef instead of a cleric.

Re:LOL! (0)

Anonymous Coward | more than 9 years ago | (#12444509)

I want your cleaver:

mine's only a 1d4...

Lets slashdot that poor server also! (0)

Anonymous Coward | more than 9 years ago | (#12444369)

Don't forget that we now DDOSed that poor server too...

Poor thing.

Re:Lets slashdot that poor server also! (0)

Anonymous Coward | more than 9 years ago | (#12444401)

We now also breaked the rules of the contest with DDOSing it-:

A successful hack does not include:

1. External denial of service attack against web server computer, or any participating vendor, or device. Denial of service attacks due to successfully modified content on web server computer are fair game.
2. Attacks or modifications of any computer or device besides web server or database computers.
3. Attacks involving external domain naming services.
4. Publishing readily available directory or file listings without accessing or modifying files on the web server or database computer.
5. Physical attacks.

18+ (2, Insightful)

Anonymous Coward | more than 9 years ago | (#12444379)

Rules say you have to 18 or older. That pretty much garentees they won't be hacked. :)

Contest announcement (5, Insightful)

bigtallmofo (695287) | more than 9 years ago | (#12444384)

"Come to our site, give us free publicity, do something that likely you are the only one in the world that knows how to do and then teach us how to do it. If you do, there's a console game in it for you! Wouldn't you rather have a console game than the tens of thousands of dollars you could sell this information for?"

Re:Contest announcement (0)

Anonymous Coward | more than 9 years ago | (#12444487)

Excuse me, but who is going to pay "thousnads of dollars" to buy this "informaiton" that would simply be used to deface websites?

Opportunity Cost (1)

tqbf (59350) | more than 9 years ago | (#12444385)

Just a guess that a brand-new IIS exploit is probably worth more than a $150 game system.

I tried... (5, Funny)

zulux (112259) | more than 9 years ago | (#12444396)



I tried to hack into it and this stupid paperclip keeps getting in the way.." I looks like you're trying to hack a Website..."

Re:I tried... (1)

bigtallmofo (695287) | more than 9 years ago | (#12444445)

Where would we be without the obligatory paperclip jokes? I actually laughed out loud on this one.

Lab rats (3, Insightful)

clump (60191) | more than 9 years ago | (#12444413)

Let Microsoft do their own research. We don't need to spend our time testing for them. Focus instead on making Apache better.

But is it the default config... (1, Interesting)

moosesocks (264553) | more than 9 years ago | (#12444426)

Presumably with any previous release of IIS, if you turned enough features off and applied enough hacks, it was reasonably secure.

What I want to know is if this site is running a DEFAULT INSTALL. If it's ridiculously tweaked to be secure, it doesn't matter. most of the insecure IIS sites out there are the result of bad admins. apache can be made very insecure if you don't configure it properly.

that said, microsoft is certainly cleaning up its act on the server end. Win2000 was great, and Win2003 ain't too shabby considering what came before them.

that ALSO being said, Novell and OS X server still have 2003 beat from an administrative standpoint.

Hack one, get another one (1)

110010001000 (697113) | more than 9 years ago | (#12444435)

So if I hack one Microsoft product (IIS) I get another (Xbox)? What is the second prize, two XBox's???

Friends don't let friends install Microsoft junk -- twitter

Who cares? (1)

digidave (259925) | more than 9 years ago | (#12444441)

Web server security is already at acceptable levels for both Apache and IIS, so long as new patches are applied when they become available.

The problem with insecure web sites is that the apps themselves are the biggest security threats. It's been three years since I've heard of anybody I know actually becoming a victim of a web server security hole, but in the last year I can think of seven separate occasions where a web app has allowed somebody to deface and/or take control of a web site.

In the end it doesn't really matter if anybody hacks this IIS server since it's not the easiest or most common way to deface a site anyway.

just silly.. (1)

doowy (241688) | more than 9 years ago | (#12444442)

these sorts of ideas are fine and all when they offer high rewards.. but an xBox??

To an honest and moral person, perhaps it is worth an xBox.. to almost anyone else, that is way to valuable of a skill to lose over an xBox (this presumes they'll close the hole/exploit you use).

Even if you are honest, an xBox is hardly worth the time/effort you'll spend doing this.

What about ZOMBIES? (1, Insightful)

drsmack1 (698392) | more than 9 years ago | (#12444443)

If a zombied computer wins; who gets the xBox? The person that owns the computer? The zombie "author"?

This needs to be resolved!

Re:What about ZOMBIES? (2)

Enigma_Man (756516) | more than 9 years ago | (#12444493)

I don't know of any zombie computers that can hack into things without someone controlling it... in which case just use your own computer. Maybe you're confusing hacking with DDOSing, which is a totally different thing?

-Jesse

Security Through Destruction (1)

Doc Ruby (173196) | more than 9 years ago | (#12444448)

Finally an application for the Slashdot effect: a slashdotted server can't serve an unauthorized, confidential document!

it's hacked (1)

kjordan (881670) | more than 9 years ago | (#12444449)

it's hacked. i went to the site and it takes 5 minutes to load. oh wait, that's just the slash dot beast machine 5000 clicks at once effect.

PS2 (4, Funny)

Sebby (238625) | more than 9 years ago | (#12444450)


make it a PS2 instead and then it will be worth my time!

Does Social Engineering count? (2, Interesting)

glengineer (697939) | more than 9 years ago | (#12444451)

Maybe I could go to Colorado and buy Chad Phelps a few beers to let me win .... Registrant: Penton IT Media Group 221 E. 29th Street Loveland, CO 80538 US Domain name: HACKIIS6.COM Technical Contact: Phelps, Chad 221 E. 29th Street Loveland, CO 80538 US +01.9702032960 Fax: =01.9706672321

Re:Does Social Engineering count? (1)

kingjosh (792336) | more than 9 years ago | (#12444505)

That's about ten minutes from my place . . . haha, I will win w00t!

It would appear.... (0)

Anonymous Coward | more than 9 years ago | (#12444456)

... that attacking the OS directly will be somewhat more difficult, as they're running Symantec Enterprise Firewall with only port 80 open. I guess that the easy ways have been plugged, at least...

Grr... (1)

LePrince (604021) | more than 9 years ago | (#12444461)

I submitted this on APRIL 13TH. I wonder what it takes to get a story accepted.... 'neway.... just feelin' grumpy.

Re:Grr... (2, Funny)

WoBIX (819410) | more than 9 years ago | (#12444507)

This is probably just the dupe :)

Such low valued prize (1)

Lead Butthead (321013) | more than 9 years ago | (#12444468)

Must not have much faith in IIS...

Isn't this technically illegal? (2, Interesting)

jeblucas (560748) | more than 9 years ago | (#12444481)

IANAL, but isn't this sort of thing illegal? I was trying to compare it to a homeowner saying, "Come and take my TV if you think you can--I'll give you a cherry popsicle." But chances are, you have a pretty good idea if the homeowner actually owns that home or not--he's probably living there. He's got a deed, etc. I don't see how I can determine that Roger Grimes actually owns the server running HackIIS Contest or not. Even if he does, does that make it OK for me to break in and alter his database? After all,
A successful hack includes:
  1. Successful web site defacement (subject to the limitations as indicated below)
  2. Modification of web server or database computers
  3. Proven knowledge of content located in "hidden" Microsoft Word document.
  4. Proven knowledge of other content found on the web server or database computer.

I think they really need to have a lawyer right the release for someone to enter this contest. It just doesn't seem right. Or am I a victim of propaganda?

Full context of original e-mail. (1, Informative)

maotx (765127) | more than 9 years ago | (#12444482)

The site is down so here is the original e-mail he sent out.

Welcome to the HackIIS6.com Contest!

Starting May 2nd and going until June 8th, the server located at
http://www.hackiis6.com/ [hackiis6.com] will welcome hackers to attack it. If you can
deface the web site or capture the "hidden" document, you win an X-box!
Read contest rules for what does and doesn't constitute a successful
hack. We've tried to be as realistic as possible in what constitutes a
successful hack, and in mimicking a basic HTML and ASP.NET web site.

For the most part, almost anything reasonable constitutes a successful
attack except for a massive network denial of service attack against the
IIS 6 or its host provider. Not that doing a successful DoS attack
wouldn't be a problem in the real world...it would be...but we aren't
testing that. We want to test the security of Windows Server 2003, IIS,
and other Microsoft applications. So, please, respect this one rule of
the contest so everyone can have a chance at claiming the prize.

Questions and Prizes
If you have questions, send an email to admin@hackiis6.com. If you want
to claim a prize, send your email, with the details listed in the
official rules to prizes@hackiis6.com.

Contest Summary
We are going to start the contest for the first two weeks with the very
basic, static HTML web site that you are now reading. Two weeks later,
we'll add an ASP.NET web site and a back-end SQL server to add more
flavor and give more area to attack. We started with the basic site to
prove that Microsoft's Internet Information Service (IIS) and Windows
Server 2003 is secure by itself. This is to satisfy the purists who
thinking hacking ASP.NET is hacking an application and not the server.
So, if you've got skillz in one area versus the other, you'll have a
chance to try both attack types.

Once the contest stops on June 8th, we will announce the winner(s) at
the upcoming June Microsoft Tech.Ed conference.

The Setup
This server is running Windows Server 2003, Service Pack1, with all
current publicly-released patches and hotfixes installed (we ran Windows
Update and MBSA just like a real admin would do). We installed IIS 6.0.
and then we followed the basic recommendations
(http://www.microsoft.com/technet /security/prodtec h/IIS.mspx [microsoft.com] ) suggested
by Microsoft. I added a few tweaks here and there, to put my personal
mark on the site, but nothing extraordinary.

There is no non-Microsoft software involved with the exception of the
host's router/firewall, which would be normal in most environments. We
want to make this a test of Microsoft software.

Why a hacking contest?
To have fun! Sure there will be critics who say sponsoring a hacking
contest proves nothing. If the IIS server remains unbroken, it still
doesn't mean that IIS is really "secure." True, and if I wasn't the
contest's team leader, I'd probably be the first one to yell that out.
Hacking contests rarely prove something is secure, although it only
takes a single successful hack to prove something is unsecure.

So why do it? There are very few places on the Internet where hackers,
good and bad, can hack legally. Windows IT Pro thought the contest would
be a fun way to interact with the hacker community (they realize most
hackers have good intentions) and bring some attention to Windows IT Pro
(of course, they'll disavow all responsibility and blame me solely if
the server gets hacked) .

So, welcome to the contest! Hack away. If the IIS server goes unhacked
during the extended time period, it might not mean that IIS is
"unhackable", but if it does survive the contest it might convince a few
people that it is a relatively secure web server platform. After all,
over 20% of the Internet relies on it, including some of the largest web
sites in the world.

Happy Hacking,

Roger A. Grimes
Contributing editor, Windows IT Pro Magazine

Not much of a test if all the pages are static (0)

Anonymous Coward | more than 9 years ago | (#12444494)

It's those pesky little CGIs and scripts that lead to most of the mischief.

That's a lot of faith.... (1)

zippity8 (446412) | more than 9 years ago | (#12444516)

A whole contest whose purpose seems to be to publicize the security of IIS6, with a $150 prize behind it. From MS, no less.

Before the site went down, i noticed that it said "We've tried to be as realistic as possible in what constitutes a successful hack and in mimicking a basic HTML and ASP.NET web site.". Anyone can secure a box running next to no services.

Cruel hoax - maybe it's already hacked! (0)

Anonymous Coward | more than 9 years ago | (#12444520)

Maybe somebody hacked a totally innocent site, bought the hackii6.com domain, directed it to the victim machine, and manufactured the whole "contest" so that the hacker community would keep the poor machine under perpetual assault. Hmmmmmm.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?