Cature the flag (was Re: Selinux kernel patches)

Cature the flag (was Re: Selinux kernel patches)

[Sandy Harris]

Dale Amon wrote:
> 
> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
> > We think that we have a good architecture and that it warrants
> > consideration. ...
> 
> Just a wild suggestion. When things are well along and
> everyone thinks the system is ready, why not put a box
> out on a public network for a game of "capture the flag"?

The annual Defcon conference (http://www.defcon.org/) has run such
a contest, on a LAN at the conference, for several years now. Some
firewall vendors bring machines for use as targets.
 
> Offer a free T-shirt "I cracked the NSA" to anyone who
> succeeds *and* tells precisely how it was done. Set up
> tests for system cracks both from fully external or from
> various shell access levels.

In addition to attackers' machines and target machiness, they have
other machines doing packet logging so attacks can be analysed
later.

A web search on "defcon capture the flag" will turn up the rules,
last year's logs and some discussion.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[paul]

So what happens when the hackers attack the machines logging packets?  Or what if they just decide to take down the router?

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>> 
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>> 
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
> 
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[paul]

I have always felt that the best way to test a piece of software is the same way that any scientist would test a hypothesis.  The hypothesis here is that the software is secure.  So in order to test that hypothesis you have to have people that test that software for security holes.

In my opinion, finishing a piece of software and then inviting the whole planet to try and "hack" it for $200 and a free shirt is just not the best way to approach this.  You will end up with people from all over the planet not only attacking the system but also the network, including other systems on the same wire that are gathering packets, routers, and perhaps even the upstream provider.  Sure, you can say that all these are off limits, but people will simply not care as has been shown by these kind of "tests" over and over and over.

What we intend to do at Bladestorm is to integrate all the efforts here into our distribution and conduct a controlled test, where the software is tested by security professionals.  It will be probed and tested thoroughly, we would report our findings, patch, reprobe, and then after that cycle is done we will do a beta.  And the beta would be to put the distribution into environments where the software can be tested.  This way, we can eliminate variables such as routers going down and so forth and really be able to pinpoint holes.

Public stunts like this is more like handing 2,000 people a can opener and telling them all to try to be the first to open a can.  You end up with a mess, and a lot of spilled tomato soup.  It's just not worth it from my vantage point.

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>> 
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>> 
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
> 
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Cature the flag (was Re: Selinux kernel patches)

[John Cordani]

Paul,
As a scientist I certainly try to apply science to the production of
information products. I agree with your stance on this issue. Certainly
engineers and scientists should first test their hypothesis and experiment
in a controlled environment prior to any beta release. When the engineering
and testing teams have reached their conclusions and refinements an open
test of the beta release might be warrented.

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On
Behalf Of paul
Sent: Friday, February 09, 2001 10:33 AM
To: selinux@tycho.nsa.gov
Subject: Re: Cature the flag (was Re: Selinux kernel patches)


I have always felt that the best way to test a piece of software is the same
way that any scientist would test a hypothesis.  The hypothesis here is that
the software is secure.  So in order to test that hypothesis you have to
have people that test that software for security holes.

In my opinion, finishing a piece of software and then inviting the whole
planet to try and "hack" it for $200 and a free shirt is just not the best
way to approach this.  You will end up with people from all over the planet
not only attacking the system but also the network, including other systems
on the same wire that are gathering packets, routers, and perhaps even the
upstream provider.  Sure, you can say that all these are off limits, but
people will simply not care as has been shown by these kind of "tests" over
and over and over.

What we intend to do at Bladestorm is to integrate all the efforts here into
our distribution and conduct a controlled test, where the software is tested
by security professionals.  It will be probed and tested thoroughly, we
would report our findings, patch, reprobe, and then after that cycle is done
we will do a beta.  And the beta would be to put the distribution into
environments where the software can be tested.  This way, we can eliminate
variables such as routers going down and so forth and really be able to
pinpoint holes.

Public stunts like this is more like handing 2,000 people a can opener and
telling them all to try to be the first to open a can.  You end up with a
mess, and a lot of spilled tomato soup.  It's just not worth it from my
vantage point.

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>>
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>>
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
>
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux
list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Cature the flag (was Re: Selinux kernel patches)

[Ellis, Wes]

Then this is another vulnerability, and would need to be addressed, a
machine is not just itself, but any other machines attached to it, and this
is most often were I have personally found weaknesses in audits.

-----Original Message-----
From: paul [mailto:paul@bladestorm.com]
Sent: Friday, February 09, 2001 9:18 AM
To: selinux@tycho.nsa.gov; Sandy Harris
Subject: Re: Cature the flag (was Re: Selinux kernel patches)


So what happens when the hackers attack the machines logging packets?  Or
what if they just decide to take down the router?

---------- Original Message ----------------------------------
From: Sandy Harris <sandy@storm.ca>
Date: Thu, 08 Feb 2001 21:32:11 -0500

>Dale Amon wrote:
>> 
>> On Tue, Feb 06, 2001 at 03:28:44PM -0500, Pete Loscocco wrote:
>> > We think that we have a good architecture and that it warrants
>> > consideration. ...
>> 
>> Just a wild suggestion. When things are well along and
>> everyone thinks the system is ready, why not put a box
>> out on a public network for a game of "capture the flag"?
>
>The annual Defcon conference (http://www.defcon.org/) has run such
>a contest, on a LAN at the conference, for several years now. Some
>firewall vendors bring machines for use as targets.
> 
>> Offer a free T-shirt "I cracked the NSA" to anyone who
>> succeeds *and* tells precisely how it was done. Set up
>> tests for system cracks both from fully external or from
>> various shell access levels.
>
>In addition to attackers' machines and target machiness, they have
>other machines doing packet logging so attacks can be analysed
>later.
>
>A web search on "defcon capture the flag" will turn up the rules,
>last year's logs and some discussion.
>
>--
>You have received this message because you are subscribed to the selinux
list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
>the words "unsubscribe selinux" without quotes as the message.
>

--
You have received this message because you are subscribed to the selinux
list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[Daniel Harrison]

In case some people haven't seen it, there has been a thread on the Vuln-Dev list hosted by securityfocus.com talking about the right and wrong way to do this. Some vendors have been participating in the discussion. I would definitely suggest checking out the archives of that list.

-dan

paul wrote:

> I have always felt that the best way to test a piece of software is the same way that any scientist would test a hypothesis.  The hypothesis here is that the software is secure.  So in order to test that hypothesis you have to have people that test that software for security holes.
>
> In my opinion, finishing a piece of software and then inviting the whole planet to try and "hack" it for $200 and a free shirt is just not the best way to approach this.  You will end up with people from all over the planet not only attacking the system but also the network, including other systems on the same wire that are gathering packets, routers, and perhaps even the upstream provider.  Sure, you can say that all these are off limits, but people will simply not care as has been shown by these kind of "tests" over and over and over.
>
> What we intend to do at Bladestorm is to integrate all the efforts here into our distribution and conduct a controlled test, where the software is tested by security professionals.  It will be probed and tested thoroughly, we would report our findings, patch, reprobe, and then after that cycle is done we will do a beta.  And the beta would be to put the distribution into environments where the software can be tested.  This way, we can eliminate variables such as routers going down and so forth and really be able to pinpoint holes.
>
> Public stunts like this is more like handing 2,000 people a can opener and telling them all to try to be the first to open a can.  You end up with a mess, and a lot of spilled tomato soup.  It's just not worth it from my vantage point.
>


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cature the flag (was Re: Selinux kernel patches)

[Jose Nazario]

On Fri, 9 Feb 2001, paul  wrote:

> So what happens when the hackers attack the machines logging packets?

usually its configured at layer 2 only, so it's not visible to anyone.
it's a good NIDS procedure. it's invisible, and also nearly immune to
attacks. you also use a good IP stack (usually OpenBSD).

> Or what if they just decide to take down the router?

which used to happen at DefCon, then they moved to OpenBSD and cut down
those problems pretty quickly.

these are all good considerations, and considering that you're trying to
attract the best of the best, wise to keep in mind. but, they've also been
addressed before.

____________________________
jose nazario						     jose@cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.