Quote:
Originally posted by DynaSpain
No harm done? Any hack causes damage and a shitload more
than the hacker imagines....white hat, black hat it's all the same.
When a box is being compromised it costs money. The box needs
to get cleaned/reinstalled because who assures the victim that
only his webpage has been defaced? This costs time, money,
causes bad publicity, damages reputation and often causes
people to lose their jobs. Now please explain me once more that
there is no damage being done defacing a webpage
DynaMite 
|
I meant that the contest does not contemplate server data destruction (something like rm -rf /*).
Also, I don't give a fuck if someone loses his work because he does not protect the servers he administrates. There has been long time discussion about this. My personal opinion is that if the admin is unable to make the convenient upgrades, fixes and a decent config he does not have to work as an admin.
Now is when you jump ad say something like "you cannot protect yourself from 0day (zero day) exploits". This is wrong too, you can if you know how does a program, system and CPU work at low level. Also you can make lots of configs that will minimize the attack. Antd if you are skilled enought, you can completely disable any kind of overflow attack (involves system kernel hacking and some performance impact), after that you will only be vulnerable to your own configuration bugs.
About that you have to format the entire box after a defacement... well, if you web server is installed as it must be installed and not just by hitting the rpm package install button or by running ./configure; make; make install, then you would not need to reformat the entire box just because someone changed your home page (if he can do that after a proper setup).
Most admins around just hit the RedHat or BSD install button, then install webmin and some extra tools and forget about the box untill it dies or someone hacks it. Then the admin says something like "damn hackers" without even realizing that his box was vulnerable to bugs reported about 6 months ago. And I am pretty shure the 99%, just because I don't like to say 100%, of the normal servers around that all the companies offer here to host your stuff have a default installation (with default kernel and system setup with all the stability, perfomance and security impacts this carries), and from time to time the admin just hits the update button.
I am linux developer and I also have an maintain my own linux distribution (one of the few linux distros with C2+ compliant security), so I think I know something about how does a standard linux distro look and how does one with a decent setup and config look. Also I am pretty shure some of the admins will be unable to administrate a system with a decent security policy.
If you do not like hackers, that's your problem. I love them. When my system is under a good hacking attack I enjoy looking on how they do it and the methods they try.
Also if you have a spare box, I recommend you to setup a honeypot and have a look at it, that's the best way to see how do attackers perform and what they usually do on your box.
Of course, In the adult industry the security is almost zero. And when people report security bugs, then they get bashed because they do report a bug. The only thing that you get in exchange is no more security reports about your sites or your products untill some 16 years kid decides to exploit these bugs and have some fun. I talk from my own experience. Some time ago I reported a bug to a TGP script. The author bashed on me and did not fix the bug (even when I provided him with a patch for that specific bug). Of course, the version that bug affected never had an official patch released (it was a free version, but the next version was intended to be paid). Some time after that the author reported that lots of sites using that software were hacked probably using the bug I reported (any 16 years kid with some security knowledge would see that bug). The same bug affected some of the other services this person was offering as it was in the auth scheme he used in his software. All I got were bashes and a bann from him.
Now how do you expect me to report a security bug to you if I find some security flaw into your site or your software? No way, I keep it for me, and share it with who I decide or with the best bidder. No joke here, when someone reports a security bug tell him at least "thank you", after all this person has spent his time reviewing your product.
These hacking contests are good, Think it in this way... you get a free security test on your system.