Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Crack.LinuxPPC.org Cracked

CmdrTaco posted more than 14 years ago | from the that-took-awhile dept.

Linux 125

An anonymous reader noted that it appears that crack.linuxppc.org has been, well, cracked. There is a mirror of the defaced page at here being hosted by attrition.org. The actual box is down as of when I type this. On the upside, it sure took a long time for someone to get in there (I'm still amused that they posted the root password). Jason Haas from LinuxPPC said "The machine is going to Daniel Jacobowitz, who won it legitimately. The subsequent problems occured after Dan installed a backdoor, and have since been cleared up. The original problem was that proftpd-1.2.0pre4 was left running with a /incoming directory."

cancel ×

125 comments

Sorry! There are no comments related to the filter you selected.

_incoming_ ? (1)

Emphyrio (125143) | more than 14 years ago | (#1443038)

I hadn't even _tried_ that one :)
Funny, that even with competitions like this, the easy holes always seem to stay open..
I think it's sort of a bad thing that the linuxppc guys missed it themselves though...

Emphyrio

Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443039)


The First Post Challenge, The Best Game On The Net!

This Anti- Karma HOWTO document explains how to not impress your fellow slashdotters by getting low Karma. Although Anti- Karma HOWTO documents are targeted towards use with the Windows operating system, this one is not dependent on the OS used to access Slashdot.

This Anti- Karma HOWTO is a joke.
__________________________________________________ ____________________

Table of Contents

1. Introduction
2. Tips
2.1 Comment Length
2.2 When to Post
2.3 Where to Post
2.4 What to Post - Avoiding Positive Karma
3. Maintenance Information
__________________________________________________ ____________________
1. Introduction

Your Karma rating on Slashdot lies in the hands of the moderators. This is your target, and as you'll soon find out it's quite easy to manipulate and fool them into moderating you down. By following a few simple guidelines you can soon surpass all the regulars, and eventually get down there with the best of the first post and off-topic whores.


2. Tips


2.1. Comment Length

Perhaps the best tip in getting moderators to moderate you down deals with the length of your posts. It's quite simple, always post very SHORT comments and when possible, MAKE IT IN ALL CAPS. Many moderators equate this with "Troll" and "Off-Topic", regardless of what you say. Furthermore, moderators are MUCH less likely to moderate you up or leave you at 1 if your post is short enough.
Also, use those invalid HTML tags! Nothing makes your post seem like a wanna be karma whore than lack of whitespace. A really stupid signature can also help out here. It is also very important to gain all the credit you can for your trollish behaivor. Please use your account. The mail only needs to be used once
to gain the password and if you only "FIRST POST" as AC, your negative karma will never add up.


2.2. When to Post

Timing is everything. Go for the gusto, spend most of your slashdot time refreshing the main page. If you wait too long to post, almost no moderator is going to have a chance to moderate it down -- no matter how bad your post is! As a general rule of thumb, any comment posted more than 15 minutes after a story is submitted will not be moderated one way or the other (Trolls: this is your chance!) Open a text editor and have your first post, rant or other completely off-topic comments PRE-WRITTEN and copied to the clipboard. This will save valuable seconds while you race for the prize! Be creative! Dont just tag a line that says "First Post Dude!" or something lame like that. Look at the true first post leaders. Mick the First Post Mastah, McDougal the Llama, Trollmastah, Natalie Portman Guy, and the other regulars. They seem to have style and are generally much more likely to be moderated down because of it.


2.3. Where to Post

After no extensive lab research in Slashdot moderation, some key information was made up. Make sure all your posts are not top-level posts! I cannot stress this enough. Anything posted more than all the way down, won't get seen, and you'll waste all your effort. The only exception is replying to the first batch of comments, since they're sometimes moderated more thoroughly. A bottom-level post is 16 times more likely to be moderated down than a reply!
Under current moderation practice, the first two comments are often marked as "Redundant" if they're not first-posters. Yes, I know this defies the very meaning of the word redundant, but many (not all) moderators don't seem to understand what redundant means. Leave this area alone. People will just ignore it and your post will not be noticed. This happens so often that one begins to think it's automated. Thus, strive to post first or second -- all true Anti-Karma whores know that First post is prime real estate.


2.4. What to Post - Avoiding Positive Karma

While the contents of your post aren't quite as important as comment length, it does play a large role in the fate of your post. There are a number of rules to follow when submitting posts to earn that coveted low Karma:

1) Always take sides. Nothing will get you marked as "Flamebait" faster than a controversial comment (ESPECIALLY very short to short length comments, one liner posts are generally OK regardless). Always think you can take the popular side and get moderated down. For example, it used to be possible to take a side against Windows, or take sides against Microsoft. This is no longer the case - there are too many slashdotters now who have moderator access and use Windows. Posting an anti-Windows comment will even get marked as "Flamebait" faster than a anti-Linux post these days! Go for it! Slam both sides! a good link for this is Scott Pakin's automatic complaint-letter generator [uiuc.edu] You should keep the drivel down to 2 paragraphs of less though.

2) Never Stay neutral. A good way to get moderated down in almost any thread is to never summarize both sides of the issue in one post. Not only are these posts generally shorter, but they can even be moderated down as "Flamebait"! Similarly, posts with subjects like "it's all about choice!" seem to play well with the moderators, avoid these. Make yours creative. Use subjects like "OH YOU SUCK" or "I THOUGHT SLASHDOT WAS FOR X" These will help you on your ride to the bottom.

3) Never come across as insightful. Nothing will make you appear more insightful than going against the trend of the first 25 posts or so (this doesn't conflict with #1, read on). This does mean you have to take sides. A good subject example of this faked-insight post is "Missing the point", in which you explain all the previous posts are overlooking the big picture. Avoid this at all costs. Also keep you comments as negative as possible. "I agree" should never appear in your posts.

4) Use a Flamebait comment subject. Unless you're Natalie Portman Guy (Anti-Karma God) and can get low Karma using "xxx Natalie" as your subject, you'd better follow some guidelines. Subjects like "This is a crock of shit (TM)" are generally good if your post is fairly short. Others that are moderated down included subjects with some type of quote or cliche (e.g, "Linux Sux", "Bill Gates Rocks!", or anything cheesy like that)

Another tactic that has recently become useful is starting your commentary or subject with "News For Nerds? Stuff that Matters?..". Don't worry - you will not have to post anything controversial, moderators will reward your trollish subject regardless of what you say!

5) Find related sites to the issue at hand and post broken links as soon as possible (remember, if you don't, someone else will!). You don't have to go all out, they can be general links that dont relate to the article. Links to AOL, Pron or to your own company really work well, especially if you make the "Spammish" in their appearance. Things like "Surf the net and make money! Come to my site at HTTP://Site.com". Also only embed your links some of the time. Inconsistancy really gets their panties in a wad. Most moderators will mark it as "Redundant". Remember, always have your comments pre-packaged! without even checking the URLs!

Also, if someone beats you to the first post with a list of URLs, all is not lost. There's still a wonderful opportunity for some Anti-Karma. An excellent strategy is to reply with "you idiot, here are the corrected urls", in which you lie and say the links they gave were wrong, and you have the correct ones.

6) Allways paste a portion of the sniglet of the article with a little commentary such as "You Suck" or "KEWL". This will always show that you didn't even click the real link to the article and shows all that you just copied and pasted from the top of the thread.


3. Maintenance Information
If you have any other ideas or tips for this Anti- Karma HOWTO, feel free to share them and they may be added to this document.

3.1 Contributors

Thanks to the creative first posters and all the trolls for their suggestions to this "Slashdot Anti-Karma HOWTO".

The exploit (1)

Kaht (122157) | more than 14 years ago | (#1443040)

Is this something new, or did they just not bother to fix it?

Is this sort of exploit a wide-spread problem, or did they just goof up?

They don't seem too happy about it... (1)

Phizzy (56929) | more than 14 years ago | (#1443041)

The box seems to be up, with this message:

We had a sudden influx of script kiddies. Page temporarily offline until the machine is fixed.

This machine resecured courtesy of drow


I guess they're a bit irked about this latest hack.

I am totally impressed that this server stayed up and uncracked for such a long time. That is, after it woke up from its slashdot-effect induced coma.

I think more companies should do this with their beta products. It would be a great thing for companies to start putting up beta versions of their servers, securing them the best they can and opening them up for attacks. This would let everyone know if the server they are about to install can withstand the force of everyone throwing what they've got at it. If more companies started creating these open targets, it would also create a situation where anyone who did not would instantly be up for scrutiny. What better method of peer review for a software project. That, and open hacking wars like this are just plain fun.

//Pre-Coffee Phizzy



/incoming == security breach??? (1)

anonymous loser (58627) | more than 14 years ago | (#1443042)

That doesn't make sense to me. I mean, I assume that the ftpd does a chroot() to the top-level ftp directory. This, by itself, does not explain how someone got root on the machine.

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443043)

Hmmmm.... I suppose when you find gainfull employment you won't have all this spare time anymore, but alas... I did find that pretty amusing.

awesome (1)

jdonofrio99 (85809) | more than 14 years ago | (#1443044)

there's always a way to hack a machine. just takes a while to find it i guess. Still, to keep a /incoming directory open was pretty damn stupid if you ask me.

Re:/incoming == security breach??? (2)

elixir (21353) | more than 14 years ago | (#1443045)

he exploited a buffer overflow in proftd. since the machine was a ppc, no one could use the pre-written expliots... the winner rewrote the exploit in ppc assembly.

Re:/incoming == security breach??? (2)

bmetzler (12546) | more than 14 years ago | (#1443046)

That doesn't make sense to me. I mean, I assume that the ftpd does a chroot() to the top-level ftp directory. This, by itself, does not explain how someone got root on the machine.

Yes, it'd be nice if it was explained how the hack worked, like the PC Week hack was documented.

-Brent

Re:proftpd has had at least five releases since... (0)

Anonymous Coward | more than 14 years ago | (#1443047)


pre4 is old. they are at pre8 or pre9; and each
interim release has had security fixes such as
this...

If they had just visited the proftpd site once,
they would have seen the dire warnings to update
to the newest version.

mark

Re:/incoming == security breach??? (2)

Emphyrio (125143) | more than 14 years ago | (#1443048)

a world writable ftp directory exposes a remote root vulnerability in this version of proftpd.
Check your standard script kiddie sites (i.e. rootshell, securityfocus et al.)..

Emphyrio

I'm a little surprised... (4)

jd (1658) | more than 14 years ago | (#1443049)

Warnings about possible security risks of setting -any- anonymous account writable have been around for a while. Even SATAN, which is hardly new, used to complain viciously about that one.

On the other hand, regularly sweeing crack.linuxppc.org with security scanners, to see if there are any holes there could be construed as cheating, as it would present a moving target, which is virtually guaranteed to stay ahead of all currently-known exploits.

However, this -does- show the importance of such sweeps, for mainstream machines, and why it's important to take advisories seriously, either from a scanner, CERT, securityfocus, or the developer.

If you download a package off Freshmeat, which has a huge warning sign glued onto the announcement saying "DO NOT HAVE WRITABLE ANONYMOUS ACCOUNTS", I'd be willing to bet that the developer isn't asking for a plate of scrambled eggs, grits and toast.

Re:/incoming == security breach??? (2)

elixir (21353) | more than 14 years ago | (#1443050)

See the following article [osonline.org] .

Speaking of proftpd (1)

Kaht (122157) | more than 14 years ago | (#1443051)

It's avaliable here: here [tos.net] and the website is here [proftpd.org] .
Funny how Freshmeat's description of it is
"Advanced, incredibly configurable and secure FTP daemon"
This will probably be counted against them, despite it not really being their fault.

why it took so long (4)

jnazario (7609) | more than 14 years ago | (#1443052)

hi all,

it took so damned long not because a hack didn't exist (ProFTPd has been vulnerable for some time) but because the standard method used to crack the, a buffer overflow, probably wasn't written with PPC assembly in mind. most BO's out there are for x86, with a good number for SPARC, as well, but ony recently did some PPC shellcode (along with Alpha shell code) get put out in wide release. after the ProFTPd crack was well known, it became, unfortunately, more of an exercise of security through obscurity.

a link to a recent piece on PPC shellcode is at http://packetstorm.se curify.com/papers/unix/ppc.shellcode.txt [securify.com] . i just checked for proftpd exploits on packetstorm and found quite a few; the presence of a writable incoming/ directory helps a LOT.

so, it still took longer than most challenges out there, and that's why i like LinuxPPC for various servers. that and they're just damn fast.

HTML Generator vs. "wrote exploit" (1)

r2ravens (22773) | more than 14 years ago | (#1443053)

Something looks a little hinky here. Is it just me, or do these thing not seem to match:

"he exploited a buffer overflow in proftd. since the machine was a ppc, no one could use the pre-written expliots... the winner rewrote the exploit in ppc assembly." -comment by elixir

"meta name="GENERATOR" content="Microsoft FrontPage Express 2.0"" -from attrition.org mirror of cracked page

Is it odd that one who is capable of writing in "ppc assembly" would use FrontPage.

IANAP (I am not a programmer), but I do write all my HTML by hand. This sounds funny. Am I wrong... or missing something?

This is an honest question, not intended to be a troll.

Russ

software problem, not writable "/incoming" (2)

jetson123 (13128) | more than 14 years ago | (#1443054)

Being able to write information (through ftp or otherwise) on a public server in some form or another is often an essential part of its function, and the rule "don't have publically writable directories" simply doesn't make sense.

In this case, it appears that the ftp daemon was buggy, and in this particular case did the wrong thing with a writable /incoming directory. The solution is to run a different FTP daemon or to fix the bug.

In part, the responsibility for this lies with the ubiquitous use of C for Linux system programming. Guarding against buffer overflows in C is a lot of work, and it is humanly impossible to catch all the possible problems in a large program. C++ helps a lot with its string class. Writing servers in Java, Perl, Python, Eiffel, Ada, SML, or many of the other languages with runtime checking is even better.

Re:_incoming_ ? (2)

heh2k (84254) | more than 14 years ago | (#1443055)

it wasn't an "easy" hole, it took them several weeks (iirc) to write the ppc asm shell code.

i believe that the point of the contest was to see how long an UNMODIFIED box would stay up. that is, w/o upgrading anything.

personally, i think it's a pointless. it's only a matter of time before a system is broken; there's always bugs.

Re:Anti-Karma (1)

tak amalak (55584) | more than 14 years ago | (#1443056)

This has been one of the most amusing posts I have read in a long time. Give him a break... at least he's not MEEPTing or pouring hot grits down his pants.
--

Re:HTML Generator vs. "wrote exploit" (1)

Kaht (122157) | more than 14 years ago | (#1443057)

I'm quite capable of writing my own HTML, but sometimes it's easier to use, say, an image map maker, or an html generator like netscape's... it may save time (though rarely does)

but I use it because layout it easier that way.. instead of saying, make it this many pixels right, I just click the box and drag it.. dont have to write, check, edit, check, etc until it's just right. that doesn't mean I'm any less adept at programming.

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443058)

These meta topics about one's ass should be filtered out. I mean why should I have to read this shit at level 2? I'd prefer not to look at these rehashed offtopic topics.

attrition (1)

heh2k (84254) | more than 14 years ago | (#1443059)

anyone have the original modified page? one of those asshole kiddies decided to rm -rf the site. imnho, attrition shouldn't mirror the script kiddie version.

MODERATE THIS DOWN (0)

Anonymous Coward | more than 14 years ago | (#1443060)

Please Moderate this down, so we dont have to look at it at level 2!

Thank you.

I guess someone had a bad xmas (1)

pivo (11957) | more than 14 years ago | (#1443061)

A little humor got your shorts in a knot?

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443062)

Yo Bozo, didn't you just read? If you want to gurantee that you will be re-incarnated as a cockeroach, you have to post non-anonymously.

Now you have to start all over again, take your 100 points back.

attrition.org page (4)

little_blaine (126227) | more than 14 years ago | (#1443063)

The defaced page posted by attrition.org is NOT what was done when the machine was first cracked. AFAIK, the web site wasn't defaced when Dan Jacobowitz first cracked the machine, but Dan left a back door open for script kiddies to exploit and said kiddie went and did his "look at me I'm so cool send me email via hotmail - page created with frontpage" act.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443064)

I believe that the page on attrition.org is by one of the script kiddies who followed the actual cracker in, using the backdoor he installed.

Suggestion: (1)

gnarphlager (62988) | more than 14 years ago | (#1443065)

Toolbox. I do alot of HTML (it's what I do for a living), and rather than deal with the subtle annoyances of an editor(I've yet to find one that lets me tailor all the automated tags) I keep a few "toolbox" text files with commonly used scripts and tags (particularly complicated tables and generic headers). Less time is spent typing when you're cutting and pasting, and you can spend more time working out the gritty bits. The only drawback is it's easy to not want to write ANY new code . . . just rehash old stuff. Then again, I've spent all morning refining a JavaScript search I wrote, and it's almost pretty as well as functional ;-)

and this way you can keep your "text editor" pride ;-)

Check out the archived version's HTML (1)

Oscarfish (85437) | more than 14 years ago | (#1443066)

From the HTML of Attrition.org's mirror [attrition.org] :

meta name="GENERATOR" content="Microsoft FrontPage Express 2.0"

I wonder if this is how Attrition.org created the page, or if the hacker but up the "I won" message with it. That would be awful, wouldn't it, a version of Linux hacked on a Microsoft machine? And posted via FrontPage, arguably the worst HTML program available? Just give me pico :)

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443067)

Sounds like you're guilty of trying to control page layout. Just post a gif if that's what you want. You aren't supposed to be talking about pixels.

Re:HTML Generator vs. "wrote exploit" (1)

Bud (1705) | more than 14 years ago | (#1443068)

Is it odd that one who is capable of writing in "ppc assembly" would use FrontPage.

Not really. A tool is a tool is a tool. If you want to produce a smart-looking web page in no time, FP is excellent. FP sucks if you want to produce nice HTML code, host your web site on non-MS servers or view it with non-MS browsers.

--Bud

One of these days dist maintainers will wake up (3)

Greyfox (87712) | more than 14 years ago | (#1443069)

I get pretty thoroughly annoyed by the assorted Linux dists that by default enable every damn server ever made. By doing so, they increase your security exposure immeasurably. New users of the OS will either never use those services or they'll open further security holes by allowing all their friends to log in. To make matters worse, most dists merrily setuid any program where the author claims it needs setuid, meaning those new users may as well be giving their friends root, because once you obtain a shell login on the machine, root becomes trivial to obtain.

A far better solution would be to not install ANY servers by default -- let the user go in and install them after the install if he wants them. For people with a legitimate need, most dists allow you to create a list of packages to install, which should work fine for any large shop that actually needs those services installed. At the same time, make it much harder to obtain a setuid bit in a standard dist. Anything that gets a setuid bit should be subjected to a source code audit to make sure that at the very least no simple buffer overflows (Such as the one that compromised this machine) exist in the software. Closed source programs should probably never be allowed an setuid bit as closed source programmers tend to be sloppier and their source isn't open to review.

Re:HTML Generator vs. "wrote exploit" (1)

Steve X (11964) | more than 14 years ago | (#1443070)

That is certainly true, but for something like the cracked page, there's very little in the way of image maps or anything even remotely complex.

but I use it because layout it easier that way.. instead of saying, make it this many pixels right, I just click the box and drag it..

This is very true, but again, you talk of layout when there wasn't any. I'd think it would be easier to use pico on the remote box (or something equally simple) than to whip out a WYSIWYG and have to ftp it over. I mean, really... Frontpage?

Dan's Crack (5)

mhatle (54607) | more than 14 years ago | (#1443071)

A lot of us were on IRC when Dan was trying to crack the box. He realized the exploit in ProFTPd, but it still took many days to come up with the shell code.

Shell code on a PPC is much more difficult to do then intel due to the multiple caches.

Dan intentionally didn't deface the page, all he did was add his name to the end of the credits and update the "cracks" to 1. :)

It was a pretty amazing crack exploiting not only the program, but how the CPU controls the cache. Especially when he could barely use GDB on his own machine to debug it. (GDB got confused with the discrepecies in the cache, and the out of order execution of the CPU.)

Congrats Dan! (FYI Dan hacked into the machine well over two weeks ago..)

Flooded (2)

MrPlab (79403) | more than 14 years ago | (#1443072)

Hmm, seems their machine is being flooded.

Straight from the website:
We had a sudden influx of script kiddies. Page temporarily offline until the machine is fixed.
This machine resecured courtesy of drow.


Interesting.. maybe it wasn't truely cracked after all. Hehe, that would be neat.

With karma issues,
Matthew
_____________________________________

Re:HTML Generator vs. "wrote exploit" (1)

elixir (21353) | more than 14 years ago | (#1443073)

correct

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443074)

If you want to edit, use an editor.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443075)

FP sucks if you want to produce nice HTML code, host your web site on non-MS servers or view it with non-MS browsers.
As Tim Berners-Lee said: ``Anyone who slaps a `this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network.''

In others words, FP is inherently fucked up, evil, and wrong. Its users are addicted to the poison milk from teat of Microsoft. Its victims are the whole world.

Re:Flooded (1)

nmx (63250) | more than 14 years ago | (#1443076)

No, apparently Dan cracked the machine using said exploit and left a backdoor open for the script kiddies.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443077)

I'd think it would be easier to use pico on the remote box
I'd rather use an editor. :-)

Re:HTML Generator vs. "wrote exploit" (1)

Kaht (122157) | more than 14 years ago | (#1443078)

Looking at the cracked page, you're definately correct. I have no idea why he would do that... I mean, given that it was all text, simply putting a .html extension on a text file would've worked. Any other ideas on why he might've done this, other than he doesn't know what he's doing?

It's possible that he's a programmer, and still just doesn't know how the WWW works, I guess... perhaps he had front page lying around on his computer, or one nearby, and used it rather than going to a website and checking the HTML to figure out how it works. Also, perhaps he thought it'd be a complicated language, and wasn't about to waste his time trying to learn it... I've never seen COBOL, but I still think it'd be difficult to learn in a short period of time.

Re:Dan's Crack (1)

Nick Mitchell (1011) | more than 14 years ago | (#1443079)

PowerPC's are not out-of-order...?

Packages need some way to validate security (2)

Christopher B. Brown (1267) | more than 14 years ago | (#1443080)

What "the world needs" is for there to be some automated tools to help search for configuration problems of this sort.

Something like cfengine [hioslo.no] would be usable to this end; make install should generate a cfengine script that validates the system configuration, with the option of either warning of problems or of fixing them.

If not cfengine, [hioslo.no] then something else may be usable.

The critical point here is for the tool used to not merely be "a shell script," as those may get diverse in style to the point of unreadability. The validation needs to be in more of a descriptive style so that it doesn't get unreadable.

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443081)

Hey, I LIKED The Glorious Meept! The grits and Natalie Portman stuff are all one-shot-at-best attempts at humor that haven't shown any originality in a long time (if ever), but at least The Glorious Meept! was an original. I mean, how can you help but laugh at stuff like, "The Glorious Meept! would like to combine all the divided factions of Slashdot into one big glorious divided faction"?

Of course it could just be like disco nostalgia, fondly remembering something that was just plain annoying at the time. I suppose in a year or two we'll all be wishing the Natalie Portman posts were the *least* annoying thing on /.

Re:HTML Generator vs. "wrote exploit" (1)

Relforn (105625) | more than 14 years ago | (#1443082)

In other words, Front Page is very, very, very Politically Incorrect!

Grrr! Grrr! Bad, bad Front Page! Grrr! Grrr!

(insert doinky sound clip of Martin the Marvin saying "you are making me very, very angry!")

Re:HTML Generator vs. "wrote exploit" (2)

evilpenguin (18720) | more than 14 years ago | (#1443083)

If I read the lead article correctly, the defaced web page was done by someone else after a back-door had been installed by someone who wrote a PPC exploit of the proftp hole. In other words, FrontPage boy had to be let in by someone who knew how to do something... Mind you, I'm just interpreting the lead story -- I do not have firsthand knowledge.

503010 login attempts? (1)

Redundant() (89068) | more than 14 years ago | (#1443084)

503010 loggin attempts that would take about 6 days assuming they worked ass backwords at one attempt per second. I wonder what kind of password gen they used?

Re:_incoming_ ? (1)

little_blaine (126227) | more than 14 years ago | (#1443085)

Emphyrio, I'm just curious, if you had tried it, just what would you have done? This is not an easy hole...

Script Kiddie Bait. (3)

GodHead (101109) | more than 14 years ago | (#1443086)


So what exactly does this contest prove? Not that the box is secure. All it means is that the 31337 hax0r dudes couldn't find a script to gain root. How many people actually think that the real black hats will stop trying to transfer funds from NationsBank long enough to really try and brake this machine. And even if master hackers did get root why would they bother to boast about it with some lame "U R Ow3nd!" page? Most likley they'd use the information to hack other boxes.


So take these "security challenges" with a grain of salt. And please, no "Why doesn't every vendor do this." posts.


G.H.
I do not want what YOU haven't got.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443087)

Not true... I know quite some people who can hack (I can't) but ask me or someone else to put together a HTML page.

Re:HTML Generator vs. "wrote exploit" (2)

dillon_rinker (17944) | more than 14 years ago | (#1443088)

Several others in this thread have already made comments amounting to "a tool is a tool", so I'll chime in with this. I have a friend who is fluent in 486 assembler (he does embedded control work). He also knows C. I ask you, why would someone who knows assembler use a compiler to create binaries?

I know how to use a screwdriver to turn screws by hand. I prefer a variable-speed drill with a screwdriver bit. A $39.95 Black & Decker works as well as a DeWalt.

linuxppc already awake (4)

mcc (14761) | more than 14 years ago | (#1443089)

> A far better solution would be to not install ANY servers by default -- let the user go in and install them after the install if he wants them.

i have linuxppc 1999, and they actually do exactly what you suggest. Nothing, not even httpd or telnetd, is turned on by default, and to turn it on you have to go into whatever that file is and uncomment out the lines. Meaning nothing gets enabled unless the user cares..
which is why linuxppc makes such a big deal about their "out of the box" security, since you're no more likely to crack linuxppc "out of the box" than the proverbial server with no network connections buried in a concrete box.. there's nothing there to crack.

i believe that the thing with the crack.linuxppc.org box specifically is that they started out with nothing enabled, and then have been slowly adding services over time in order to make hacking easier..

Did they use LIDS? (0)

Anonymous Coward | more than 14 years ago | (#1443090)

LIDS (Linux Intrusion Detection System) provides many enhancements to the kernel that should be looked into by sysadmins. It not only provides added logging capabilities, it prevents some actions from being performed even by root!

See the LIDS web site and mailing list for more details;

http://www.soaring-bird.com.cn/oss_proj/lids

Don't be a dumbass (1)

Zico (14255) | more than 14 years ago | (#1443091)

You can tell FP which brand of browser you're targetting (IE, Netscape, WebTV, or a combination), which generation of browser you require as a minimum (version 3.0 and up, or 4.0 and up), which server will be hosting the pages (Apache or IIS), as well as whether or not they use FP Server Extensions. And yes, you can choose a custom option for all of those choices. Now what does this have to do with a "Best Viewed By" banner?

Cheers,
ZicoKnows@hotmail.com

Re:Script Kiddie Bait. (1)

the eric conspiracy (20178) | more than 14 years ago | (#1443092)


I don't think that this 'proves' anything. However I do find these case histories interesting.

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443093)

Too bad this is a blatant ripoff of the Karma HOWTO. Funny anyways though...

Re:HTML Generator vs. "wrote exploit" (1)

mcc (14761) | more than 14 years ago | (#1443094)

yeh but the funny thing here is that it WASN'T smart-looking. it contained nothing more than three <p>s and a <body bgcolor>. Obviously anyone who would use MS Frontpage to do something _that_ simple doesn't know ANY html at all. Which is the original poster's point, that anyone who knows ppc assembly would know enough html that it would be _much easier_, at least for the level of simplicity in this page, to open notepad and do it there.. a tool may be a tool, but there are times where what you want to do is simple enough that an automatic tool like frontpage becomes more cumbersome than helpful..

Of course since the people responsible for attrition's version apparently didn't know PPC assembly after all it's a moot point, but whatever.

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443095)

I suppose in a year or two we'll all be wishing the Natalie Portman posts were the *least* annoying thing on /.

They already are.

I propose we create a new site: meept.org. We'll post deliberate flamebait articles and spend all day trolling.

Of course, the site will eventually be ruined by slashdotters posting "serious" discussions.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443096)

> I think the guy probably meant it as a joke. Or maybe to cast irony on the fact that a microsoft dude hacked linux.

Re:Dan's Crack (3)

Anonymous Coward | more than 14 years ago | (#1443097)

In response to all the posts on this, I felt it would be best to give people a bit of a timeline of what happened when. Please note, I am a Fine Arts Major with hardly any low-level computer experience, so even though he talked about *how* he was doing it frequently enough, I didnt understand more than 2% of it.

Wednesday Dec 15th:
Finals are over: Dan gets started.
Friday Dec 17th:
Dan sucessfully cracks the Machine. Increments Number of Cracks, adds name to Credits, and waits to see how long it takes for someone to notice. Leaves self back door in form of open port to telnet to.
Thursday the 23rd:
I notice the change of the website to what is currently hosted
here [attrition.org] , and emailed Dan about it. (on a side note, I'm not trying to take credit for notifying him first. I'm just stating what I saw)
by Friday the 24th:
Dan resecured the
site [slashdot.org] .

Signed,
Mike
The guy who lives next to Dan.

fnord (1)

zpengo (99887) | more than 14 years ago | (#1443098)

hail eris

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443099)

Thank you Captain Obvious

I think it is supposed to be.

UNIX security is hopeless. (4)

Animats (122034) | more than 14 years ago | (#1443100)

Look. The problem is architecture. Nothing that has servers running as root is ever going to be secure. The amount of trusted software is just too large. The problem is that so many people have seen nothing but the UNIX/NT model of the world that they don't realize there are other ways to design a system.

There are alternative OS architectures. But they're rare on PCs.

  • Systems with "mandatory security". This is the feature that gets you above the C level in the Orange Book standards. In the mandatory security world, there is no root login, and as you increase in privilege level, you can read less and less. If you log in as the security officer, you can only read security-officer level files and use special security-officer tools; you can't use the system normally. So viruses, etc. can't leak upwards. Conversely, programs running at high security levels can't write data to lower levels, so classified data can't leak down.
  • Transaction processing OSs, the archtype of which is IBM's CICS. Think of an OS architected to run CGI-BIN programs, each in its own protected space.
  • Capability-based systems, like EROS and KeyKOS. Unfortunately, the people who write these tend to be incomprehensible. And work on EROS seems to have stopped since the key people graduated. EROS is GPL'd, and someone might pick it up and bring it up to the point that it was usable. Any takers?

    We need one widely used secure OS, just so people can see what one is like.

Re:Don't be a dumbass? (0)

Anonymous Coward | more than 14 years ago | (#1443101)

Answer: which brand of browser you're targetting (IE, Netscape, WebTV, or a combination)

Question: what does this have to do with a "Best Viewed By" banner?

I can see someone answering their own question if they have a very long post, and make numerous points, but you must have the attention span of a gnat if you couldn't see THAT one.

Let me make it a little plainer for you - HTML should not have to be targetted to a specific browser. If it's written properly, it will look good in any browser. If you have to "target" it at all, then it's not written properly.

Re:They don't seem too happy about it... (1)

JustDan (117535) | more than 14 years ago | (#1443102)

Making machines available for attack on the net does nothing to increase the security of a product.

In a perfect world, it would, but the fact is that the people with the smarts to find the security holes in a product are not the ones that respond to such "cracker challenges". Every once in a while, the Hacker News Network [hackernews.com] has a news item on some (cr|h)acker challenge, in which they decry such activities much more eloquently than I can. I'm pretty sur ethey have a Buffer Overflow about it too....

Whoa whoa whoa (2)

FascDot Killed My Pr (24021) | more than 14 years ago | (#1443103)

And please, no "Why doesn't every vendor do this." posts.

Let's be careful with our non-sequiters, there, pardner.

I agree that "cracking contests" like this do NOT prove you have unbreakable security. But that doesn't mean that crack attempts are useless.

For instance, all security experts recommend that you should try to crack your own boxes to test them. How is this different?
---

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443104)

`notepad'? Pardon me as a I vomit. Even Microsoft's victim deserve a real editor, and can get one. More than one, actually.

Re:HTML Generator vs. "wrote exploit" (2)

w3woody (44457) | more than 14 years ago | (#1443105)

You're not missing anything; HTML and PowerPC assembly are two different languages. Hell, it would like me sniffing my nose at you because you couldn't code in Cobol or something else equivalently useless to you where you work...

Re:One of these days dist maintainers will wake up (1)

WinTired (125929) | more than 14 years ago | (#1443106)

Couldn't agree more! I'm new to Linux, but when I saw all the services running in my machine, all turned on by default, I decided I won't boot it Linux with a phone cable even close by until I've figured out what each and every one of those services do. It may not be "cool", but at least no one is touching my SAM, that's for sure.


-------------------------

Re:Anti-Karma (0)

Anonymous Coward | more than 14 years ago | (#1443107)

If you don't want to look at replies to offtopic posts, just create an account, go into your preferences section, and tell it not to re-parent comments. Now stop complaining.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443108)

Where is the logic? If one knows X how does that make him or her know Y.

Re:UNIX security is hopeless. (1)

realfnord (110278) | more than 14 years ago | (#1443109)

Sounds like you want RSBAC: http://www.rsbac.de/rsbac/

From the overview:
"What is RSBAC?
RSBAC is a security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) by Abrams and LaPadula and provides a flexible system of access control based on several modules.
All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions."

Re:software problem, not writable "/incoming" (1)

Cramer (69040) | more than 14 years ago | (#1443110)

Oh spare me your bullshit. Buffer overflows happen everywhere (even in assembly.) It's fairly trivial to audit code for overflow problems.

The true problem is not the compiler or the language. It's the idiot with the keyboard writing the program in the first place. Everyone wants to flog Microsoft for their unbelievably stupid programming, but no one every has a bad word about anyone else's (open source, freeware, GPL, et. al.) bad code. If you think about what you are doing, then you don't have these problems.

Re:One of these days dist maintainers will wake up (1)

Cramer (69040) | more than 14 years ago | (#1443111)

Amen brother! They might as well add a checkbox/option for "install every known security flaw and a few no body knows about" along side the "[dist] backdoor" button.

Every time I install Redhat, it takes about 5 minutes to install (read: waste 1.3G of drive space) and then an hour to remove the brain damage and other worthless crap it installs.

I really miss the simplicity of SLS!

Re:_incoming_ ? (1)

Emphyrio (125143) | more than 14 years ago | (#1443112)

What i would have done.
If you find a proftp daemon with the right version, and you _know_ this version is vulnerable on other platforms (in the case of bufferoverflows platforms not 'suffering' with a non-executable stack), the only thing you have to do is incorporate shell code for the 'target' platform into the standard exploit, and probably change some offsets.
If you regularly keep track of the (abundant) security mailing lists, you see that there is a _huge_ amount of buffer overrun exploits to be found.
Modifying shellcode to work on other hardware platforms is not arcane science; you can find lots of tutorials about it on the web (take mudge's 'smashing the stack for fun and profit' for example).
The difficulty in this case is that you need to create carefully crafted directories in the world writable directory, _and_ the buffer overflow is not directly made; a buffer is overrun, and the net result doesn't show until strlen() is called in another function. Hard thing.
Still, the core task of porting the exploit to another platform is porting the shellcode.

Fuck You. (1)

Anonymous Coward | more than 14 years ago | (#1443113)

The only people who should be shot are assholes who want to ridicule someone and call them "stupid" just because they're inexperienced. Get off your fucking high horse.

Frontpage? (0)

Anonymous Coward | more than 14 years ago | (#1443114)

Did anyone else notice that the meta tags in the defaced page are from Frontpage Express? Sounds like a script kiddie to me...

can't take your own advice? (0)

Anonymous Coward | more than 14 years ago | (#1443115)

Why didn't you post this as a logged-in user and reap the benefits of that -1 rating?

"Re" Moderate the parent... (0)

Anonymous Coward | more than 14 years ago | (#1443116)

Umm, how is this -1? Offtopic, maybe, but -1? Fact is, this is how most people here feel: This is the kind of news we want here, not "Book Reviews: LEGO Mindstorm Book Review". Now, this is a private site, and the people that run it are free to do what they like with it. But if they want to keep the droves running to slashdot, it should be kept ONtopic.

Just a thought.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443117)

Exactly. It's people like him who make pages that look like sh*t on my monitor (running at 1280x1024). Resolution and pixels (other than image size) don't play well with a medium that can be viewed at as low as 40x24 (text mode) or as high as 4000x2000...

[center] is ok, x,y positioning just plain well isn't...

Too bad (1)

jormurgandr (128408) | more than 14 years ago | (#1443118)

I learned alot from that server. They left just enough running to make it difficult, but possible. Nice to see that the greatest OS and the most powreful CPU make a good team. Too bad the people who designed it didn't make it a little stronger.
=======
There was never a genius without a tincture of madness.

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443119)

another one for the rocks/sucks o meter:

I would have to say that PICO ROCKS!

Don't dis the world's easiest editor! So little to learn... :-)

Re:HTML Generator vs. "wrote exploit" (0)

Anonymous Coward | more than 14 years ago | (#1443120)

Yeah, the Black and Decker is great - The first time you use it.

I talked to someone who was in the business of selling tools, especially drills. He basically explained to me why all of today's Black and Decker equipment is only a small step up from Sears quality. Old B&D stuff was not bad, but today's stuff uses plastic housings, single insulated cables, and barely enough fan action to keep the commutator cool.

DeWalt is instead, a relatively high quality tool (according to him). They don't cheapen the tool to the point where after 20 or 30 uses, it'll break.

Sounds like Frontpage is like Black and Decker, after 10 or 20 uses you can probably expect a GPF or a Blue Screen. Pico or Vi are like the DeWalt, they don't break after 10 or 20 uses...

Re:One of these days dist maintainers will wake up (0)

Anonymous Coward | more than 14 years ago | (#1443121)

SLS.... Well, Slackware exists. Give it a whirl. You'll still need to disable stuff, but it is pretty easy. Edit inetd.conf, and a couple of little things in rc.d, and you are set. :-)

I also wish in slackware you had to edit things to turn services ON, not off...

Re:UNIX security is hopeless. (2)

WNight (23683) | more than 14 years ago | (#1443122)

Congrats on a well written explanation of how it's possible to have a more secure system...

But, how is this possible without trusted binaries and all?

I mean, eventually there's an account which can do disk maintenance. This account has to be able to read the HD, and thus can read all information and write it to files another user has access to.

How do you allow ultimate access without creating what is essentially a root login with a restricted shell?

What seems to me to be the best idea is to modify most everything so that only the barest cores of the OS run as root, everything else would run as a user. Thus TCP stack exploits could crash the TCP stack, and take the machine off the net, but they couldn't give access to anything, etc.

Um, aren't we glorifying crackers? Is this good? (0)

Anonymous Coward | more than 14 years ago | (#1443123)

Posting the cracked page and giving it coverage only encourages more to crack.

Re:software problem, not writable "/incoming" (2)

WNight (23683) | more than 14 years ago | (#1443124)

Not true.

And I'm not a bullshit OOP bigot. I do 90% of my 'real' code in C.

In C, if you read a string of characters, you need to have space allocated for it. You can either read a set ammount and truncate, or read a variable ammount and auto-allocate.

But, whatever you do, you need to do it yourself. You can't simply say "string data; data stdin;" and get the whole string, to the limit of available memory.

You can code a routine to do this, anyone who writes anything which accepts user input has probably written a reusable 'safe input' module. But, you still have to do it yourself.

And you have to do it EVERYWHERE you look at data. You can't make any assumptions. If 999 of 1000 expected comma seperated integers are integers, the 1000th might be something else entirely, consisting of non-numeric characters. You need to check for nor just the correct inputs, but ALL forms of incorrect input. And then, you need to attach basic error handling to all of these.

If a fucking pain. A good half, at least, of anything I write is spent in input checking, even when the actual input it done in a couple of lines, and could be scanned with a few scanf()s (albeit badly.)

It's not a good reason to switch to what might be a more crippled language, just because that language keeps you from making errors, but you need to recognize the weaknesses of your tools or you can't work past them.

Re:HTML Generator vs. "wrote exploit" (1)

lassie_bst (100773) | more than 14 years ago | (#1443125)

Not to mention the Dewalt is made by b&d just there "high" end line.

Re:They don't seem too happy about it... (3)

WNight (23683) | more than 14 years ago | (#1443126)

To be precise, if you have a hacking contest where you pay $x to the winner, if the computer is not cracked, all you have proved is that the machine is not crackable in that ammount of time, by anyone who values $x more than a potential $x * n, where n is the number of potential juicy targets running this system, or by anyone who values $x more than being anonymous.

So, if you offer $10k for a two-month contest to crack into a potential bank security system, you may get a few bored people playing around with it, but the real devious people will wait till it's "proven" uncrackable, and they'll crack into the bank running it, perhaps getting away with more money.

This does produce semi-valid results, for small values of 'n', the number of potential juicy targets, or very high values of $x... If Microsoft paid $1M for 'arbitrary binary' exploits on Win9x, they'd get a lot of takers, because $1M is more than you'd probably get in any reasonable win9x attacks, because nobody uses win9x for anything important. Similarly, if you only had one system, and $x was high enough to rival any potential gains from cracking the system later, you might get people seriously trying.

But, over all, it's a publicity stunt. You aren't guaranteed to get the same people trying, or with the same motivation, so you can't expect the same results.

Moderate Cramer's post UP dammit! (2)

jabbo (860) | more than 14 years ago | (#1443127)

Languages, while not totally irrelevant, are often a bandaid for poor architectural, system, and policy decisions. Writing servers in Python (which is written in C) or in Java (whose JVM is written in C, and whose Java-to-native frontend for GCC is written in C) or in SML, or in Middle Welsh, or in Urdu, will not overcome all the problems of human stupidity, arrogance, and inexperience. The OpenBSD people did the Right and Boring and Horribly Painstaking thing and just audited everything in sight, which is why I'm setting up OpenBSD for my firewall and NAT box. Still, somebody else's empty promises won't keep me from getting 0WN3D, and my own auditing and hardening might not either.

Neither will StackGuard or MultiStack or DDD or assiduous use of MemProf, Checker, Electric Fence, and GDB. People make mistakes, not only in programs to handle incoming packets, but also in automated test harnesses, in compilers, in networking code, in firmware for NICs, in (f00f) CPUs...

I disagree with the "if you think about what you're doing" line of argument (if you think about it hard enough, your system will be infinitely secure cause you'll never write a line of code), but the "just choose a better language" schtick is even worse.

The determined Real Programmer can write Fortran in any language. I personally stick to what I'm reasonably good at (secure distributed transaction processing) and ask other people to audit the shit out of it, then tell the users how to flog me if it breaks. If you're writing daemons for more than just fun and education (i.e. if you think you suck less than I do) I certainly hope you have similar standards... hell, I'm a systems administrator, not even a developer, but I see some real circus acts billing themselves as "developers" these days...


As an aside, my personal take on the Kill-Microsoft bent is that people resent a company whose foundation is "We Know Best" and whose track record indicates "Actually, We Don't, But Pay Us Anyways".


Re:Don't be a dumbass? (1)

Zico (14255) | more than 14 years ago | (#1443128)

Please tell me you're not that dense. You see, the version 3 browsers don't support HTML 4.0. Now, you're welcome to stay back in the stone age at 3.2, but you should be aware that things have advanced since then.

Let me make it a little plainer for you - HTML should not have to be targetted to a specific browser. If it's written properly, it will look good in any browser. If you have to "target" it at all, then it's not written properly.

That's garbage. Let me guess, you have absolutely no real world experience, do you? If you did, you'd know that you can write HTML 4.0 compliant pages 'til the cows come home, and Netscape will still choke on it. What's funny is listening to the Netscape users here bitching about some "poorly written" web page that Slashdot linked to, because it shows up mangled on their browsers. Of course it looks great on IE and Opera, but since Netscape gakked on it, they think it's a coding problem.

I would say that the absolute best thing about Mozilla is that it finally puts W3C HTML 4.0-compliant browsers into the hands of people who've been stuck with the current Netscape releases. Because if there's one thing that's been holding back web development, it's Netscape's atrocious lack of support for standards. You just can't sit down and write some HTML 4.0 page and expect it to work under Netscape. That is the main reason why you see "Best viewed with Internet Explorer" banners: not because they're using IE-only extensions, but because they're using W3C-compliant HTML that Netscape can't grokk. Perhaps there should be a "Best viewed with Internet Explorer or Opera" banner, or even "Best viewed with anything but Netscape" for these situations. ;-)

And there's nothing at all wrong with the way FP targets specific browser brands, because most Intranets standardize on a single browser and make use of extensions. These aren't meant to be seen on the Internet and has nothing to do with my question to the original poster, who seemed to imply that FP was capable only of producing proprietary HTML -- he quotes Berners-Lee and takes it to mean that FP is "fucked up, evil, and wrong." They have nothing to do with each other, and he's an idiot for thinking that they do.

Cheers,
ZicoKnows@hotmail.com

Security Statistics (2)

Anonymous Coward | more than 14 years ago | (#1443129)

This site is very interesting: If you look at "http://www.attrition.org/mirror/attrition" and check the statistics, you will find that almost 65% of all the hacked servers are running NT/IIS. However, if you check "www.netcraft.com", you will see that NT/IIS are only being used on 23.5% of all the Internet servers. This makes me wonder: How can MS claim that nobody did ever make any proof that NT/IIS is less secure than UNIX/Apache ? This is the real world proof that NT is very very insecure !

Re:UNIX security is hopeless. (4)

Kaufmann (16976) | more than 14 years ago | (#1443130)

In capability-based systems, users or user accounts do not "own" processes, per se. There are specific objects that do disk maintainance; these objects possess very specific capabilities that allow it to do manipulate storage, but little else. The user, in turn, acquires capabilities that allow him to tell these objects to do certain things.

Philosophically, capability systems are much more egalitarian than ACL-based systems; they are also much closer to the real world: you don't see "root people" going around doing anything they want to everyone else's property, do you? (Well, actually, you do: they're called the police force. We're working to fix that bug by the next release. :])

How long? (1)

mrdisco99 (113602) | more than 14 years ago | (#1443131)

Sorry if I missed it, but how long was the machine up?

+++

Re:/incoming == security breach??? (0)

Anonymous Coward | more than 14 years ago | (#1443132)

Breaking out of a chroot(2) jail per classical POSIX semantics is trivial if you're root. It offers a false sense of security unless the implementation of chroot(2) in itself implicitly calls chdir(2). Also, mknod(2), mount(2) and several other system calls should be restricted. In short, if you're root, chroot() doesn't really matter. OpenBSD has remedied this in many ways, but their implementation is sadly the exception rather than the rule.

Re:UNIX security is hopeless. (1)

heh2k (84254) | more than 14 years ago | (#1443133)

the best thing to do is run all externally accessible daemons in chroots not running as root.

Re:HTML Generator vs. "wrote exploit" (1)

friedo (112163) | more than 14 years ago | (#1443134)

IANAP (I am not a programmer), but I do write all my HTML by hand. This sounds funny. Am I wrong... or missing something?

Yes, you are. The page you saw there was cracked by a script kiddie who used a backdoor installed by Mr. Jacobowitz when he used the buffer overrun in ProFTPD. I don't know if Jacobowitz even defaced the page at all, if he did, I didn't see it. But the message you see there was NOT done by him.

Still can get to other pages at crack.linuxppc.org (2)

vrmlguy (120854) | more than 14 years ago | (#1443135)

If you want to see the original page, circa November, google still has it cached here [google.com] . And, it looks like the links on that page still work, so you can go to the credits page [linuxppc.org] and see both the number of successful cracks: 1 in the info box and the additional credit to And Daniel Jacobowitz, because good security isn't always good enough. near the end of the listing.

Dan's credit page (1)

jaso (91769) | more than 14 years ago | (#1443136)

fyi, when Dan cracked the machine, he just made a couple of tiny changes to the credits page (currently online at http://crack.linuxppc.org/credits.shtml). He changed the number of successful cracks to 1, and added this line to the bottom of the credits: "And Daniel Jacobowitz, because good security isn't always good enough."

Re:HTML Generator vs. "wrote exploit" (1)

drewpt (3975) | more than 14 years ago | (#1443137)

I ask you, why would someone who knows assembler use a compiler to create binaries?

Less code to write.

Less code is associated with easier to debug/easier to maintain (not all developers are fluent in ASM).

I develop in both Intel ASM and C. Unless I NEED the speed of ASM, I use C.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>