Blackhat? Not me guv

<arreyder> niq cyberwar on going.
<arreyder> you should have participated๐Ÿ˜›
<niq> arreyder: where?
<arreyder> I got a shell on all 15 teams webservers with a cgi exploit
<niq> hehe
<niq> BAD arreyder
<arreyder> the one I told you about a while back. I got them to set up remote access if you wanted to play
<arreyder> I didnt get root on all of them though, I didnt have time and people were not cooperating like they usually do
<niq> erm, I’d prefer NOT to be carted off to Guantanamo Bay by some spook who hadn’t been told it’s an authorised game

To give this some context, arreyder works for the state government of Iowa, USA, and has mentioned these security exercises before. He seems keen on the idea of me donning a black hat and hacking in to their machines. Now that’s fine for him. It might be fine for me if I was an accomplished cracker with access to a botnet, and maybe an IP address or two in China to cover my tracks. It might even be fine if I was an American citizen who could demand constitutional rights between being arrested and clearing up the idea that I was authorised to crack into their machines.

But I’m none of those things. I’m just a dullard who is far too scared of the consequences to hack into anyone else’s computer. Let alone a U.S.-owned computer, in the time of the Inquisition. Even if the good folks in Iowa have authorised it, the spooks at my door might not see it that way. I’d be in no position to argue with them. And given the culture of secrecy amongst spooks, there’s no guarantee arreyder and his colleagues would ever hear about it.

In the ensuing discussion, arreyder explained that the computers in question are actually at the University of Iowa rather than the state government itself, so perhaps the target addresses are not quite so sensitive. But in any case, there’s no reason to suppose I’d have penetrated the target machines any further than, or even as much as, arreyder himself.

Posted on October 6, 2007, in security, USA. Bookmark the permalink. 4 Comments.

  1. Minor correction?๐Ÿ™‚ The event is held at Iowa State (Go Cyclones!) not the Uni. Of Iowa. It’s a lot of fun. One of the points of it is to give the students in the information security program a chance to get a taste of some sorta-kinda-almost real experience in providing, defending, securing and managing internet services.

    The students are given requirements on what services they must make available and in some cases even given known buggy code that they must run. (No doubt the cgi Grant? and I exploited on 14 of the 15? teams was a plant by the Exercise Coordinators to make things interesting) The entire event takes place on a closed network within reserved address class subnets. These are not just machines sitting out on the internet for you to pluck away at from your terribly unstable internet connection.๐Ÿ˜‰

    Throughout the exercise Nagios is used ot measure service availability and quality and a green team is busy pretending to be users doing all the wonderful things that users in the real world do. Including clicking on emails they should not and writing their account information on sticky tabs or the foreheads of fellow students that have fallen asleep. Plenty of forehead is to be found as the event takes place overnight.

    The student teams are judged on service availability, and loose points for various levels of information leakage and priviege escalations, etc…

    More information can be found here: http://www.iac.iastate.edu/LABS/ISEAGE.html

    And niq, I’m sure the invitation for you to participate will be extended to future events. I’ve not given up on you yet.๐Ÿ˜› Just add a few more layers to your hat and remember the shiny surface goes to the inside. We’re trying to keep stuff from getting out, not keep some new ideas from finding their way in.๐Ÿ˜‰

    arreyder

  2. Specific to the High School event but has more detail on the event and less about the environment than the last link. The most recent event was college level.

    http://survey.iac.iastate.edu/HSCDC/index.html

  3. When I was in high school I was REALLY into computers (now I’m REALLY REALLY into them), and being a young idealist (now I’m an older idealist) I enjoyed the idea of making the world a better place. As in the words of Malcolm X: “By any means necessary”. When I found out about the 2600 mhz captain crunch whistle and the world of phreaking, it seemed like a great “shortcut”, for about… oh a half a second.

    I realized that knowing how to do stuff like that is valuable, much more valuable than the cost of a phone call. Might as well pay the dime for the phone call, earn an honest dollar, donate a quarter for a good cause and save the other .65 for paying the mortgage on a rainy day.

    I think youths get so turned off by the BS in 99% of mass marketing that their brain filters it out automatically, making it difficult for them to perceive even the slightest inkling of opportunities to make a positive difference. Thankfully, there is the gnu and other “no-commercial potential” non-iconic icons which seem to say “hey, at least I’m not lying to you.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: