-
We may already have our 2nd person participating, so I'm going to have to hold off on allowing you to test. But I can answer your questions:
1. Spoofed IP's are perfectly fine, so long as you use that spoofed IP the ENTIRE TIME. To be honest, I don't see the reason for using the spoofed IP, since I will already know it is you. But hey, whatever makes you happy. The moment you use your real IP or switch to another spoofed IP, is when we have problems.
2. No, no script to show currently attacking IP's for two reasons:
a. To keep the attackers anonymous
b. No way in hell I'm creating a non nessessary script during a case-study on security
3. Firewall? Services? That's for you to figure out.
-
Take my word for it or not. I have run down a few things I can think of to prove it is his box. I'll just say this, if he is in fact somehow spoofing the results. He doesn't need our help to own any box, and secondly he already owns it. To each his own. I am pretty sure he is legit.
Be safe and stay free
-
is this a true windows test or is it a test of third party softwear that you have installed. I know you are beta testing sp2 just was wondering if that was the box in question?
-
3rd party software will be used of course. I said a secure XP box :) Would you dare run a *nix workstation without the proper security 3rd party tools that are essential? Nmap? Tripwire? ipchains? Softwall? I didn't think so.
This isn't about testing a default install, it is about testing the security of Windows XP in the hand of someone that fully understands the OS and is an admin of it.
This will be proving the point, and hopefully ending the argument, that XP is insecure. Why? Because I'm going to prove that in the right hands of someone who actually too the time to learn it.... it can be just as secure as OBSD running tripwire, ipchains, softwall, and the NSA kernel installed.
-
I applaud you pooh sun for doing this. Finally there will something to point to when a linux centric user starts a "Linux is more secure than Windows." I can't wait for the results and when all is said and done, I would like to know what all you did to secure the box. A nice tutorial perhaps.
-
pooh sun tzu: Is this already over? If not, let me get the IP of your computer and have at it a little bit. :)
-
Jehnx, it is already over. Ended last night as a matter of fact.
Here are the basic stats, and I will be printing a total whitepaper soon:
Intrustions: 0
Successful DoS's: 0
Firewall Breaches: 0
There simply isn't a way in guys, sorry :) You can not break into a server that only has one open door, and when that door is the latest version as well as being configured to optimum security,
-
We may not always get along, but this is nothing short of applause worthy. We need more people doing this.
Maybe one of these days I'll put one of my boxes in the DMZ and let people have a crack at it....Pun intended.
For anyone who has ever done this before, they know it's cool, but for the people who have no idea why anyone would do this; Well,can YOU think of a better way to test your security than letting people do it for you?
PST; What about Windows server 2003? Any chance of you doing the same with that?
Also, you should really promote these results, around here, I know of a few places that won't use XP because of the security myth around it.
-
gore, I know we used to hate each other in the past, but it seems both of us have overcome some unseen barrier and would much rather hug(?).
As for doing a similar event for Windows 2003, it is a possibility. I don't know if you have seen my recent Windows XP Security guide yet, but I'm in the process of writing how to secure Windows XP from the bottom up, starting from the Installation beginning to the final 3rd party program. After I finish that series, I may give 2003 a chance (however, by that time I may be in such a crave for just touching the nix OS that I could plug on fedora for a good month or two)
And yes, I will be posting the whitepaper/results so that people know the heavy amount of testing preformed by a number of very talented people. Thanks for your nod of encouragement, and next time I damn well expect you to take part in this :)
-
Interesting concept, but what does this really prove? How do we know that the people you picked to "hack" your server really have any intrustion testing abilities? How do we know that they choose not to use their uber-3l1t3 h4cks on you so that they wouldn't give away the secret???
If you were trying to prove that a windows OS based on NT can be secured, was there really a need? Unfortunately, if someone doesn't believe that a windows OS can be secured, what you have presented here isn't really going to change their opinion. They already don't agree with what educational and government testing of the products have proven. Why expect a non-scientific test to prove anything?
I could go on and quote all of the major sources that say that the "hack this website" for $100k contests don't prove anything, but we have all read those stories. I think the same arguement applies here.
