Re: Dreaming of Summer

[surreal () delusory org]

David Maynor wrote:
> On Sat, 2003-12-06 at 01:57, surreal () delusory org wrote:
>
> > For your consideration: Thoughts on a Virtual Multi-Bird Projectile
> >
> > Dave's list may not be the right forum for this idea, but I like to think that the right people might see this (and 
> > it's only one message, so here goes). I'd like to address two problems and promote Good Clean Fun at the same time.
> >
> > Problem one: Redhat; RHN; EOL. 
> >
> > A large but unknown (to me) number of Redhat boxes running 7.3 through 9 are about to be left to their own devices 
> > for bugfixes and security updates. Redhat hasn't seemed very excited about helping these soon-to-be-stranded 
> > sysadmins. "Buy our pricey distro and reinstall all your boxes" or "run Fedora and dwell forever in Beta Hell" just 
> > don't make me feel, uh, loved and valued. I *liked* up2date.
>
>
> Debian. Debian fixes all.

In my case RHES fixes all, but there's still a big population in the Unpatched-Masses-wearing-a-KickMe-sign camp.

I'm thinking along the lines Phil suggested. Change the fundamental rules of the game to be attack oriented, or have 
Attack teams and Admin teams (that's starting to get kinda cluttered tho).

My assumption is that within 6 months, possibly three, there'll be known holes. Award points (panel of judges?) on the 
"elegance", stealth and/or realworld applicability of attacks. 

A remote root would be worth more than local root; 
remote unpriv'd shell worth way more than simply killing a service;
killing a service with a single packet more than flooding something 'til it pukes.
Not leaving messy syslog traces would give Elegance points.

Hell, maybe by then Microsoft will have ported Outlook Express to Linux and make root-via-spam a reality.

Make CTF a ninja contest instead of it's current state. If it was managed right, it'd also give the winner(s) 
significant media coverage and RH some much needed (IMO) public scolding.

ZD: He has the 'leet Ninja 5k1llz to launch Digital Pearl Harbor, but this studly "White Hat" hacker uses his powers 
for the good of all mankind! Ooooh!

You know in your heart it's true...

Surreal

> > Problem two: CTF got boring.
> >
> > To quote Dave, from 8/5/2003:
> >
> > > ...
> > > Also, I admit it WAS a sysadmin game, but CTF should not be. If we're
> > > going to make it Defend The Flag, then just have another game. You need to
> > > make it a game where offense matters. Otherwise you just have everyone
> > > hunkered around doing defense, like this and every other year. Did the
> > > winning team write any exploits? I don't think they did. What does that
> > > say?
> >
> > My proposal is this: CTF - Dead Hat Edition 2004
> >
> > Is it just me, or is that catchy? That is, of course, assuming a DC XII. :-|
> >
> > By July, 7.3 and 8 will have been orphaned for 6 months, Redhat 9 for at least 3. How fast does a Linux distro go 
> > stale? Is someone holding off on the next big remote r00t until next year? How many ways will there be to r00t that 
> > "unknown number of boxes"? Who is this man of toast, and what is his dark secret?
> >
> > I propose that the nodes for CTF be Redhat boxes patched up to their EOL date like any happy RHN-using box. I'm a 
> > defender, not a sploit coder so I leave the difficult details of play and scoring to the Smart Folks.
> >
> > I'd like to think that just maybe an event like CTF-DH could prod Redhat to do a little more for the people they're 
> > leaving behind. Maybe host a "community supported" alternative to RHN? Anything's better than what we've got right 
> > now.
> >
> > Maybe they'd ignore the whole thing... If the results of the competition were documented, at least people would know 
> > where some of the holes are(?)
> >
> > Yeah, it *could* backfire and turn into a primer for a Redhat holocaust. The way things are going though, 2004 could 
> > be the year Linux gets the reputation for being r00ted as readily as Windows. That'd suck, IMO.
>
> This will still fall back to sysadmin games. I want to see a free for
> all, you are give a kernel the week before and you have to build your
> own distro out of it. You then take that distro and defend/attack other
> people. CTF is getting boring as long as it remains a sysadmin game.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave