23 Oct 2002 ib   » (Master)

Take a look over at eWeek's "openhack" challenge. In its fourth incarnation, eWeek (which is heavily sponsored by Microsoft) tries once again to prove Microsoft and Oracle security.

The challenge includes an Oracle and Microsoft server, which must be owned or defaced in order to be considered "compromised".

A closer look at the infrastructure, however, reveals the truth:

Aside from the servers in question and some infrastructure (which itself is partially shielded and guarded), most servers are ... tada ... OpenBSD. Both, ns and mail are served by OpenBSD 3.2, firewalls are OBSDs pf, and the switch and routing fabric is Extreme Networks', which runs ... well, they won't tell, but everybody who ever looked at a Summit or Diamond knows...

In short, this is pathetic. The topology used is highly unlikely to be deployed in a working environment, critical infrastructure is based on Unix, not Windows (PDF file containing the topology, 127kb), and the rules exclude some of the more powerful attacks.

What will this challenge prove? For the successful attacker, it proves a modicum of knowledge, and for Microsoft or Oracle it proves nothing (other than the fact that there are things even eWeek won't run on Windows).

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!