Dailydave mailing list archives

Re: The long tail of vulnerable operating systems

From: Joseph McCray <joe () learnsecurityonline com>
Date: Fri, 16 Nov 2007 20:43:28 -0500

Being someone that actually hosts CTFs as well as having come up in the
good old days of the RootHack.org, PullThePlug.org, and competed in the
CTFs at Def Con - I would say that you probably see a lot CTFs with old
OSs because: 


1. Often times competitors have a difficult enough time just
compromising that stuff. 


2. Katie's point about old OSs, and crapplications still deployed in a
lot of companies is true and will never change. If it ever does then we
won't have jobs anymore.

3. Hacking is changing. Web app/client-side/reverse engineering is
really what's going on now and it's hard to put together a CTF with that
type of stuff. A really high skill level is required to set up and score
the game, and a high skill level is required of the participants just to
play.

3. The bottom line is -- it's an awful lot of work to put together a
complex network of modern OSs, and apps that are still vulnerable to
something, set up a scoring system that actually works in that complex
of an environment to see that you only have a few participants that lack
the skill to exploit even the simple stuff you put out there.


In my experience the people that have skill, and do this everyday for a
job really don't play very often. People get up for the big CTFs like
the one at Def Con because it's once a year and basically because there
really isn't that level of competition anywhere else in the world.


If you are really looking for some CTFs that are hard core - meaning no
Nessus, no Metasploit, real hacking (web app/custom binary
exploitation/reverse engineering type stuff) you are probably going to
be left with Def Con's CTF, and probably HITB Con's CTF.


If you are looking for CTFs that aren't quite to the Def Con/HITB Con
kind of level, but are just running newer OSs and apps I can't really
think of anything free and open to the public to be honest. You'll
probably end up setting up something yourself if that's the kind of CTF
you want.

Hope this helps....

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: The long tail of vulnerable operating systems, (continued)
- - Re: The long tail of vulnerable operating systems Matt Hargett (Nov 15)
- Re: The long tail of vulnerable operating systems Steve Shockley (Nov 13)
- Re: The long tail of vulnerable operating systems Katie M (Nov 13)
  - Re: The long tail of vulnerable operating systems Darryl Luff (Nov 14)
    - Re: The long tail of vulnerable operating systems dan (Nov 15)
  - Re: The long tail of vulnerable operating systems Adriel Desautels (Nov 14)
    - Re: The long tail of vulnerable operating systems Katie M (Nov 15)
    - Re: The long tail of vulnerable operating systems Adriel Desautels (Nov 15)
  - Re: The long tail of vulnerable operating systems Weston, David G. (Nov 15)
- Re: The long tail of vulnerable operating systems Chris Eagle (Nov 13)
- Re: The long tail of vulnerable operating systems Joseph McCray (Nov 17)