Announcement

**Deviant Ollam** · June 15, 2007, 13:17

Re: CFSB: Vista and OSX86

Originally posted by sk00t View Post

So far, everything committed has been a *nix flavor, so I'm asking for some diversity. I'm really hoping we'll see some boxes with Vista or OSX on Intel ( JaS / uphuck / etc is fine), so if someone is interested, stand up and be counted.

while i think vista has been out for too short a time to be properly considered worthy of "secure" deployment, i might be willing to toss a Windows server or workstation into the mix. i'd be eager to learn more details of the contest, such as what consititues 0wning the box... creation/compromise of an admin user account? simply moving files around or uploading some signed file to the system drive?

what techniques will be used? strictly remote attacks? or will people be allowed to walk up to the machines, since that would pretty much be the endgame right there. (although, i think it would be a real eye-opener to have a speed contest in which folks are allowed to walk physically up to a machine and own it, then walk away leaving as few clues as possible. would be a cool speed challenge while at the same time very educational for the mindless small business types who don't grasp the concept of securing servers behind locked doors)

**sk00t** · June 15, 2007, 19:30

Re: CFSB: Vista and OSX86

Originally posted by Deviant Ollam View Post

while i think vista has been out for too short a time to be properly considered worthy of "secure" deployment, i might be willing to toss a Windows server or workstation into the mix. i'd be eager to learn more details of the contest, such as what consititues 0wning the box... creation/compromise of an admin user account? simply moving files around or uploading some signed file to the system drive?

what techniques will be used? strictly remote attacks? or will people be allowed to walk up to the machines, since that would pretty much be the endgame right there. (although, i think it would be a real eye-opener to have a speed contest in which folks are allowed to walk physically up to a machine and own it, then walk away leaving as few clues as possible. would be a cool speed challenge while at the same time very educational for the mindless small business types who don't grasp the concept of securing servers behind locked doors)

I dunno, I'm interested to see Vista precisely because it's so new. There's some question whether the improvements in DEP and ASLR will bear fruit or not. We'll see.

I need to get the FAQ up -- there's a rules page on the site, but basically there are two stages -- day one is remote, with a minimum of two services visible, and day two requires providing some level of authenticated access (restricted shell / nonpriv user / HTTP user, etc, is OK).

As far as what constitues 0wnage, each defender entry will be provided with a unique GPG key to place in a directory on the filesystem. The key will decrypt a file we'll make available somehow, which contains instructions on how to claim the machine.

There won't be physical access to the machines, unless I do get some more neat older machines committed. If there's no ethernet port on the box we'll try to be flexible. :)

This is literally something I came up with less than a week ago, so it's still a bit of a moving target. So far I'm just glad to see the level of interest, and we'll consider this year to be something of an experiment. Hopefully it will be fun.

**punkrokk** · July 27, 2007, 06:54

Re: CFSB: Vista and OSX86

I would bring a Vista box just for fun. (I don't really have a spare box to give up)

Announcement

CFSB: Vista and OSX86

CFSB: Vista and OSX86

Comment

Comment

Comment