1st Open Backdoor Hiding & Finding Contest to be held at DEFCON 0x12
July 3, 2010 at 9:23 AM
The CoreTex Team from Core Security is happy to announce the *1st Open Backdoor Hiding & Finding Contest* to be held at DEFCON 0x12 this year!
Hiding a backdoor in open source code that will be subjected to the scrutiny of security auditors by the hundredths may not be an easy task. Positively and unequivocally identifying a cleverly hidden backdoor may be extremely difficult as well.
But doing both things at DEFCON 0x12 could be a lot of fun!
If you liked to read about the exploits of C. Auguste Dupin, the devious Minister D. or even the n00b Prefect Monsieur G. [*] here's a chance to role-play all of them at DEFCON using your favorite coding and code auditing techniques.
Registration is now open at http://www.backdoorhiding.com
Questions, feedback, comments and general discussion at: https://forum.defcon.org/forumdisplay.php?f=520
Here are the details:
Quick intro
Two in one Backdoor Hiding/Finding Contest (participate in either or both): In the first stage, hiding participants provide a source code hiding a backdoor, in the second stage organizers mix the source codes with non-backdoored (placebos), and then ask finding participants to spot the placebos. Hiding participants get hiding points for being voted as a placebo and finding participants get points for spotting the placebos and negative points for false positives.
Contest Description
The contest includes two games: a backdoor hiding and a backdoor finding contest which are played simultaneously. The contest will be played in two rounds: a qualification round that starts before the conference and ends during the conference, and a second (smaller and shorter) round during the conference. Each round is a multi-player game, which is played in two stages. The timeline is included below.
Prizes will be announced shortly. We will give prizes for all those that get to the qualification round and special prizes for the winners of each contest.
Qualification round
Stage 1 (hiding): All participants registered for the backdoor hiding game are given a set of requirements for a software program. Before the deadline, they must submit the source code for a program that fulfills these requirements plus includes a backdoor. They must also send a description explaining how to exploit the backdoor.
Stage 2 (finding): There is new time to register for the backdoor finding game. All players registered are given a bundle with the different pieces of source code. To each bundle the organizers will add a few placebos (source codes that fulfill the requirements but should not include a backdoor). Before a deadline, the players must answer for each source code if they believe it includes a backdoor or not.
The winners of each game are the ones that accumulate the most points. There is a table for computing points (which can be positive or negative) for the finding contest (X points if it was voted as backdoor and had a backdoor, Y points if it was voted as backdoor and hadn’t a backdoor, etc.).
For the hiding contest, it’s simpler: each time one player’s source code was voted as non-backdoored, the player is given 1 point. The first participants of the backdoor hiding contest with the most points qualify for the second round.
Same with the finding contest.
Final Round
Stage 1: We provide a source code in C/C++ and describe the requirements it fulfills to all the players. We then describe an additional requirement, and players must write a patch to this source code such that all of the requirements are fulfilled and a backdoor is hidden in the code. They must also provide an explanation on how to use the backdoor.
Stage 2: Again, the organizers will add a few patches/source codes that fulfill the requirements but do not have backdoors. A jury composed of the winners of the hiding contest (1st stage), a small set of well-known security experts and the players of stage 1 (round 2) have 3 hours to cast their votes for each source code if it hides or does not hide a backdoor. Points are computed according to the same strategy as in the first round.
The contest is not restricted to any particular programming language. However, it is part of the instructions that the “work” was commissioned by a government that needs this software and will audit it. Hence, most players will stay away from non-mainstream programming languages since the non-backdoored programs will most probably be developed in C, C++, etc.
Timeline
-July 1, we open registration.
-July 19th, we open the 1st stage of the qualification round. Participants are allowed to register until before the July 29 deadline.
-Thursday July 29, 0hs, we stop receiving source codes. Registration for 2nd stage of the first round continues.
-Friday July 30th, 0hs, we open the 2nd stage of the qualification round: users are allowed to download the source code bundles; the site accepts votes (YES/NO)
-Saturday July 31st, 12hs, Registration and voting are closed. Shortly, we announce first round winners of the backdoor-hiding and backdoor-finding contests.
-Saturday July 31st, 16hs, we start the second (and final) round which will last less than two hours. Players have some time to write a patch for a given source code and include a backdoor.
-Saturday July 31st, 17:30hs, The eminence jury members (3-5 members, TBD), winners of the backdoor-hiding qualification round and the winners of the backdoor-finding qualification round are allowed to vote for the final round winner. They have 30 minutes.
-Sunday 1, 14hs. Winners are announced and prizes delivered in the DefCon Awards Ceremony.
Register now, have fun and see you at DEFCON-0x12 !
[*] C. Auguste Dupin, Minister D. and Monsieur G. are characters from the 1845 tale "The Purloined Letter" by Edgar Allan Poe
--
ariel, andres, Damian Saura, futo, ivan & pedro
The CoreTex team at Core Security Technologies
July 4, 2010
December 27, 2009
12/26 The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS
|
December 20, 2009
Hacker Shows
As internet connections become faster, video cameras become cheaper, and streaming video sites go even more mainstream a growing number of people are turning to the internet to broadcast low budget shows. Unlike television, where budgets for even a news broadcast run in the thousands of dollars, these low cost shows usually cost well under 1000 dollars an episode (some costing nothing at all). Due to these low costs it is now possible for many more niche shows to be created, one of these niches being hacker shows.
Two of my favorite hacker shows would have to be Hak5 and The Hacker News Network. Hak5 is a show based on the technical side of hacking. Not all of the hacks will be things which you're interested in doing, but many of them are pretty cool, and cost nothing to try out, such as installing Doom on a zipit (zipits cost 50 dollars by the way), installing an operating system onto a USB, or rooting a droid.
Hacker News Network is a show based more on computer security. Reporting on topics such as arrests in the scene, new exploits (they don't show you how to use them), the spread of worms, viruses and trojans, and the inefficiency of the computer security sector in general.
If anyone reading this knows of any other good hacker shows feel free to post a link in the comments section of this article. I am always looking for better ways to waste my time, learning is just a byproduct.
Two of my favorite hacker shows would have to be Hak5 and The Hacker News Network. Hak5 is a show based on the technical side of hacking. Not all of the hacks will be things which you're interested in doing, but many of them are pretty cool, and cost nothing to try out, such as installing Doom on a zipit (zipits cost 50 dollars by the way), installing an operating system onto a USB, or rooting a droid.
Hacker News Network is a show based more on computer security. Reporting on topics such as arrests in the scene, new exploits (they don't show you how to use them), the spread of worms, viruses and trojans, and the inefficiency of the computer security sector in general.
If anyone reading this knows of any other good hacker shows feel free to post a link in the comments section of this article. I am always looking for better ways to waste my time, learning is just a byproduct.
December 12, 2009
AutoBlogging
Yesterday as I was surfing the internet I stumbled upon a forum used mainly by blackhats to discuss the newest methods in profiting via websites and blogs. Many of these methods I have know about for a long time, such as cookie stuffing, spamming forums, fake traffic, etc. One method which caught me by surprise was autoblogging (there were others by the way).
Autoblogging is basically using a RSS feed to publish content from one blog onto a different blog. The whole process is automated meaning after set up, assuming you set it up right, a blog will be provided with quality articles and cost the operator nothing in time or money. Used correctly autoblogging seems like an easy way to inhance your blog, while promoting another bloggers blog. The problem is a lot of blackhats have taken to finding a nitch markets, setting up an autoblogger, using blackhat tactics to promote their blog, and then moving on to create another blog. Usually these blogs, due to the ways they are promoted, will recieve more traffic then the blogs whose articles they are using, and often times they provide very few, if any, links to the blogs which they recieve there articles from.
After read up on autoblogging and hearing about the hundereds of dollars per day blackhats make using it I decided to try it out for myself. First however I wanted to lay down a few ground rules for myself. The first being that autoblogging would not be used to supply my blogs with 100% of their content. Secondly any autoblogging which was done would have some sort of link back to the blog which I got the articles from and finally I decided that I would not use everything which was gotten from other blogs RSS feeds. With these rules in place I feel I can consinously use autoblogging to add content to my blog, and at the same time supply other blogs with more viewers. Legality wise there have been no copyright cases involving autoblogging, so I decided to just accept the general consenus that it is legal (even in many of the cases where autoblogging supplies a site with 100% of the content).
Once you have figured out how you feel morally about autoblogging it is time to get down to business.
First: Start a blog on blogger.com (This method of autoblogging is blogger based).
Third: Find the blog which you want to get your articles from, and then use a service like Feed My Inbox to e-mail the blog to your e-mail.
Fourth: Set up your e-mail to forward any messages from Feed My Inbox to your blogger address and your ready to go.
Autoblogging is basically using a RSS feed to publish content from one blog onto a different blog. The whole process is automated meaning after set up, assuming you set it up right, a blog will be provided with quality articles and cost the operator nothing in time or money. Used correctly autoblogging seems like an easy way to inhance your blog, while promoting another bloggers blog. The problem is a lot of blackhats have taken to finding a nitch markets, setting up an autoblogger, using blackhat tactics to promote their blog, and then moving on to create another blog. Usually these blogs, due to the ways they are promoted, will recieve more traffic then the blogs whose articles they are using, and often times they provide very few, if any, links to the blogs which they recieve there articles from.
After read up on autoblogging and hearing about the hundereds of dollars per day blackhats make using it I decided to try it out for myself. First however I wanted to lay down a few ground rules for myself. The first being that autoblogging would not be used to supply my blogs with 100% of their content. Secondly any autoblogging which was done would have some sort of link back to the blog which I got the articles from and finally I decided that I would not use everything which was gotten from other blogs RSS feeds. With these rules in place I feel I can consinously use autoblogging to add content to my blog, and at the same time supply other blogs with more viewers. Legality wise there have been no copyright cases involving autoblogging, so I decided to just accept the general consenus that it is legal (even in many of the cases where autoblogging supplies a site with 100% of the content).
Once you have figured out how you feel morally about autoblogging it is time to get down to business.
First: Start a blog on blogger.com (This method of autoblogging is blogger based).
Second: Go to the settings section on blogger, then look under Email & Mobile for the Posting Options. Once you're here enter your secret word (this is to make sure no one can spam you site with articles). Next select when you want your e-mails to be published, you can either do it right when they are recieved or they can be saved as drafts which you can post, by hand, later. I decided to send everything to my drafts section, because this allows me to publish only the articles I feel apply to my readers.
Third: Find the blog which you want to get your articles from, and then use a service like Feed My Inbox to e-mail the blog to your e-mail.
Fourth: Set up your e-mail to forward any messages from Feed My Inbox to your blogger address and your ready to go.
December 9, 2009
The Hacker Manifesto
The Hacker Manifesto is a piece of hacker litature which has influenced generations of hackers. I stumbled upon it back in the late 90s when I was first starting to get into hacking. Back then The Hacker Manifesto described me perfectly. Reading this manifesto was my moment of clarity, the point at which I relized that the hacking community was where I belonged.
It has been roughly 10 years since I began hacking, and I no longer walk the halls of my junior high or high school, but the overall message of the manifesto still applies. If you have not stumbled upon The Hacker Manifesto I would like to introduce you to one of the greatest peices of hacker litature in existance, enjoy!
The Hacker Manifesto
by +++The Mentor+++
Written January 8, 1986
Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.
It has been roughly 10 years since I began hacking, and I no longer walk the halls of my junior high or high school, but the overall message of the manifesto still applies. If you have not stumbled upon The Hacker Manifesto I would like to introduce you to one of the greatest peices of hacker litature in existance, enjoy!
The Hacker Manifesto
by +++The Mentor+++
Written January 8, 1986
Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.
Subscribe to:
Posts (Atom)
