Re: Re: Dreaming of Summer

[David Maynor <dave () 0dayspray com>]

> In my case RHES fixes all, but there's still a big population in the Unpatched-Masses-wearing-a-KickMe-sign camp.
>
> I'm thinking along the lines Phil suggested. Change the fundamental rules of the game to be attack oriented, or have 
> Attack teams and Admin teams (that's starting to get kinda cluttered tho).
>
> My assumption is that within 6 months, possibly three, there'll be known holes. Award points (panel of judges?) on 
> the "elegance", stealth and/or realworld applicability of attacks. 
>
> A remote root would be worth more than local root; 
> remote unpriv'd shell worth way more than simply killing a service;
> killing a service with a single packet more than flooding something 'til it pukes.
> Not leaving messy syslog traces would give Elegance points.
There is a big problem here. Most of what Redhat sends out in its distro
is other opensource projects repackaged. Unless there is going to be a
remote root in up2date, these really aren't redhat issuses. Sure there
might be a remote root hole in ssh or apache, but hose are apache and
ssh problems, which patches are available for. Making a CTF that targets
one platform is not better than the "hack the product" contests.

> Hell, maybe by then Microsoft will have ported Outlook Express to Linux and make root-via-spam a reality.
>
> Make CTF a ninja contest instead of it's current state. If it was managed right, it'd also give the winner(s) 
> significant media coverage and RH some much needed (IMO) public scolding.

Just what we need, more kids wanting to be PHC when they grow up.

-- 
David Maynor
http://www.0dayspray.com/~dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave