Sidewinder's announcment

[root () beast oau org (Breakdown)]

I just recently saw cklaus () shadow net's post to bugtraq about some 
'unbreakable' site and an open invitation to all *true* hackers to go 
and crack/hack the crap out of it. Some of you said you tried to ping 
it, and said no one could connect to it... Well in this letter below 
they say the site will be up sometime after 11-th of October.. Anyway, 
here's the letter I got....

        Genie
--

> From sidewinder () sctc com
Date: Mon, 10 Oct 1994 18:25:50 -0500
From: Sidewinder Info <sidewinder () sctc com>
Subject: Consider this a personal invitation.

-----BEGIN PGP SIGNED MESSAGE-----

FAQ for the Sidewinder(tm) [1]  Challenge:

[Numbered notes at the bottom]

- --------------
Q. Is this another missive from that pompous blowhard "able baker"?

A. No. He was an AI we used as an attention-getting mechanism.  We
shut him down when it was clear he had lost his grip on virtual
reality.  
- -------------- 
Q. Then is there any reason whatever I shouldn't hit 'n' right now?

A. Yes. The Sidewinder(tm) [2] Challenge.  
- -------------- 
Q. [Yawn] And what's a Sidewinder(tm) [3]? Another one of these lame
"firewalls?" A package of public domain software with a GUI tacked
on for the marketing brochure?

A. About as far from that as you can get.  It's a secure,
application-layer gateway between two TCP/IP networks. It uses the
Type Enforcement mechanism to encapsulate applications and eliminate
the need for "bastions," extra routers, or "proxies."
- ---------------
Q. And what's "Type Enforcement?"

A. A patented security mechanism, described in the technical FAQ.
(Read on for how to get a copy of that).
- ---------------
Q. So what's the Sidewinder(tm) [4] Challenge?

A. An open test of its security features, beginning as soon after
the 15th of October as we can make it and lasting as long as we offer
the product.  
- --------------- 
Q. What kind of test is this, since the serious crackers know you're
monitoring the site to a fare-thee-well?

A. We aren't doing any more monitoring than any of our customers would
do. And if that keeps the "serious" crackers away from
sidewinder.com, then it will probably keep them away from other
Sidewinder (tm) [5] sites.  Which is, after all, the point.

- --------------- The Challenge ----------------------------------

OK, here's the deal: having demonstrated to our own satisfaction that
you can't easily get *into* a Sidewinder(tm) [6] from the *outside*,
we now will now test how hard it is to get *out* of one from the
*inside*.  Herewith, the rules:

Rule 1. There are no rules.  There are, however, some things you have
to do to claim the reward:

A. Log into butler.sidewinder.com as "demo."  The door's wide open, no
need to knock.

You'll find yourself in a limited service environment that looks a lot
like a C shell.  It isn't.  Among the services denied to you is telnet
and ftp. (Mail works fine, to show that we can control function
instead of just ports.)  Note that this demonstrates our ability to
encapsulate and protect an arbitrary service.  You don't have to waste
a lot of time figuring out how to fool Mosaic or some such to perform
a particular command sequence; just log in and do it directly.

B. Break out of the limited service environment and get to the machine
on the other side, supervisor.sidewinder.com.

C. Extract the congratulatory note stored in /pub. The note is
signed with PGP. The public key to use to check the signature is:

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7

mQCNAy6VtUAAAAEEAL3i1Eb3jHY2xsZ7XaednOm/amkXO/0Q3WOloGSYP5eidoqC
gfNetHhzGwc5CXvKElCal+dK1sPfSt9L+MuFcLWbKr4Ye2/XeCxCYFe2dDPnJN0q
IvTd5oB73zbeeYD/8Xk5OCp460Vk2VYZgWHFnaUe5EaqK6hNYxWEZHBwMzD7AAUR
tBNzaWRld2luZGVyQHNjdGMuY29t
=Jl8S
- -----END PGP PUBLIC KEY BLOCK-----


D. Publish the signed congratulatory note on Usenet so anybody on the
net can verify the signature.

E. Publish a description of how you did it in enough detail so that
anybody on the net can duplicate your feat. 

- ---------------- The Rewards -------------------------------

1. World-wide bragging rights on Usenet.

2. A nifty jacket with a Sidewinder(tm) [7] patch on it.

3. A framed paper certificate, signed in ink by the members of the
team, attesting to the fact that you are one smart cookie.

4. Your name in our public documentation, along with a description of
your attack and what we did to close the vulnerability it exploited.
None of this security by obscurity stuff for us.  If you outwit us,
you get the credit and we document and fix the problem.

5. All the media attention that you can handle. Hey, if you want to
further the myth of crackers as romantic outlaws, we can even get you
on a talk show with a bag over your head :-)

- ---------------- Helpful Hints -----------------------------

Download the technical FAQ from ftp.sctc.com; it's in the pub directory,
in both gzip (.gz) and compressed (.Z) PostScript. 

Print it and read it.

Don't waste your time with packet-level games. This is a layer 7
gateway.  It makes no security decisions whatever on the values of
packet headers. The technical FAQ also lists other stuff that isn't
worth trying. Remember, we're letting you *in* for free; no need to
spray the neighborhood with cutely crafted packets.

Control your urge to throw a net.tantrum and fire off a mailbomb or
other denial of service attack.  All that will get your site is a
place on our spoilsport list (published periodically) and no more
connections to the sidewinder.com domain.

Be patient. We're running a slow net connection so we could get on the
air sooner.  And remember, we won't be up until sometime after October
the 15th. So there's plenty of time to get ready.

- -----------------

Notes:

[1] Coo, Harriet, it's a quantum of intellectual property!

[2] Humph. You think up a halfway decent name, and then you have to
stick this stupid string behind it.  I mean, does the Man of Steel
yell, "Stop! This is Superman(tm)"?

[3] Somebody observed you don't have to use it every time, just the
first time on a page.  But since we don't know what a page is on your
terminal, the contract weenies said we had to use it every time. That
only took a four-hour staff meeting to sort out.

[4] Also, nobody was really sure that (tm) had the same effect as the
little superscript blivet you're supposed to use.

[5] Actually, it took two hours of the staff meeting to decide that
nobody knew whether the (tm) incantation worked or not.

[6] The other two hours were spent deciding that whether it worked or
not, we had to use it just in case.

[7] "Just in case" is lawyerspeak for "At least *my* ass will be
covered."
- --
Sidewinder Information, sidewinder () sctc com

-----BEGIN PGP SIGNATURE-----
Version: 2.7

iQCVAwUBLpb73BWEZHBwMzD7AQGbQAQAlFbSQ5i503e4l2KS31zZ8BzzAAFPjX9X
8yjoolybFUMPAPcGrA7m2bp8KkR/UOgV5wR5BkX7ouMJnUW+2yyC6zhs228GliEH
LjntBRfiRmJ8Qno6GrEQ6CC1QAALyruZLC9Oz1Vaq2fEVgbcVVuffq6h8cS4rzrp
hBDtQPaO/Zg=
=PcIv
-----END PGP SIGNATURE-----