Re: Microsoft ask users to crack win2000 site

[jhorn1 () DESPERATE CI TUCSON AZ US (John Horn)]

Aleph1, I don't know if this posting is really pertinent to the list but
considering the potential for serious penalties, I thought it might be
advisable to point this out.

Hmmm, interesting. Nevertheless, such activity contravenes various federal
statutes and/or possibly state statutes at either the point of origination
and/or the destination (or both). I would suggest that anyone interested
in accepting this offer consider the relevant legal issues before actually
making a compromise attempt on the site. It should be noted that Microsoft
does not have the authority to waive prosecution under at least one (or
possibly more) federal statutes. It is quite possible to be prosecuted
completely without Microsoft's consent.

It is, in fact, even possible that an invitation to the public to
contravene federal statutes may, in and of itself, violate other statutes.

On Tue, 3 Aug 1999, Peter Lowe wrote:

> [ executive summary: Microsoft are asking you to crack their
>   machine running on win2k and iis. ]
>
> I haven't seen anything about this on bugtraq before, and I'm not
> entirely sure if it's appropriate, but this is from
> http://www.windows2000test.com/ground_rules.htm:
>
>
>                     Microsoft Internet Explorer
>    Microsoft Windows 2000 Server with Internet Information Server.
>
> Ground Rules
>
>    1. Make it Interesting
>
>    Good safe computing practices on the Internet involve placing
>    critical systems behind firewall-type devices. For this
>    testing, we are intentionally not putting these machines behind
>    a firewall. This mean that you could slow these machines down
>    by tossing millions of random packets at them if you have
>    enough bandwidth on your end. If that happens, we will simply
>    start filtering traffic. Instead, find the interesting "magic
>    bullet" that will bring the machine down.
>
>    2. Compromise an account
>
>    Windows 2000 computers can have multiple user accounts and
>    groups. See if you can find a way to logon with one of these
>    accounts.
>
>    3. Change something you shouldn't have access to
>
>    See if you can change any files or content on the server. If
>    you manage, no foul or rude statements please.
>
>    4. Get something you shouldn't have
>
>    There are hidden messages sprinkled around the computer. See if
>    you can find them.
>
>    5. Our goal is to configure the system to thwart your attempts
>
>    The goal is to see how a properly secured machine will stand up
>    to attack. These machines are configured to prevent known
>    attacks.
>
>    6. This is a test site
>
>    You are welcome to attempt to compromise this site, and this
>    site only. This is your chance to do a practical test of
>    Microsoft Windows 2000's security.
>
>    7. Tell us about your exploits
>
>    If you find something, send us some email at
>    >    w2000its () microsoft com.
>    © 1999 Microsoft Corporation. All rights reserved. Terms of
>    Use.
>
>
>
> --
> Peter Lowe -- System Administrator, Telenor Internet
> http://www.ti.cz/ -- pgl () ti cz
>
> Everything I know in life I learnt from .sigs.

Regards:

John Horn
City of Tucson, IT Dept.
jhorn1 () desperate ci tucson az us