Hacking competition?

rabbit · September 25, 2009, 06:13:34 PM

I'll give it a shot I guess :D

iago · September 25, 2009, 07:24:14 PM

Quote from: Towelie on September 25, 2009, 06:05:03 PM
doing this on a DoD network... I might pass.

I'm going to set it up so you have to connect to me through a secure tunnel. So technically, if you wanted to, you'd be safe. :)

Joe · September 26, 2009, 12:20:33 AM

Not to get into a cryptography debate, but can't they decrypt everything that comes over the wire once he sends his public key? Sure, they can't pretend to be him, but they can read everything sent out, if I understand correctly.

But that's a moot point since it's not against the law to hack into a machine with it's owners permission. Of course, you might have to prove that you have iago's permission to someone pretty important.. :P

EDIT -
Headline: US Navy Cadet caught hacking into Canadian web server.

iago · September 26, 2009, 12:38:01 AM

Quote from: Joe on September 26, 2009, 12:20:33 AM
Not to get into a cryptography debate, but can't they decrypt everything that comes over the wire once he sends his public key? Sure, they can't pretend to be him, but they can read everything sent out, if I understand correctly.

But that's a moot point since it's not against the law to hack into a machine with it's owners permission. Of course, you might have to prove that you have iago's permission to someone pretty important.. :P

EDIT -
Headline: US Navy Cadet caught hacking into Canadian web server.

No, you're entirely wrong about how public-key cryptography works. To briefly explain, there are two concepts:
1) Anything encrypted with a private key can only be decrypted with the corresponding public key (what you're talking about)
2) Anything encrypted with a public key can only be decrypted with the corresponding private key (closer to what's actually happening)

Joe · September 26, 2009, 05:32:28 PM

I forgot that. SSH is double-encrypted, right? With your private key and their public key, therefore since only the intended recipient has both your public key and their own private key, only they can read it.

Gotcha.

iago · September 26, 2009, 09:47:31 PM

Quote from: Joe on September 26, 2009, 05:32:28 PM
I forgot that. SSH is double-encrypted, right? With your private key and their public key, therefore since only the intended recipient has both your public key and their own private key, only they can read it.

Gotcha.

Something like that, anyway. :P

Joe · September 26, 2009, 10:00:55 PM

Don't you work for an internet security company? :P

iago · September 26, 2009, 10:11:21 PM

Nope, I work from the government.

I'm not a crypto expert, though I do have a decent understanding of how ssh works. Your answer isn't really right, but explaining it is kind of a waste of time. :)

Sidoh · September 27, 2009, 11:42:28 AM

Quote from: Joe on September 26, 2009, 05:32:28 PM
I forgot that. SSH is double-encrypted, right? With your private key and their public key, therefore since only the intended recipient has both your public key and their own private key, only they can read it.

Gotcha.

SSH is a probably special case, but the standard public key model is the sender encrypts the message with the recipient's public key. A message can be decrypted using the private key corresponding to the public key that encrypted it. "Double encryption" probably means that the traffic is encrypted both ways.

Public keys and private keys have some sort of mathematical relation to each other. The idea is that the (or a) public key is trivially determinable from a private key, but it's an intractable problem to determine a private key from a public key. In RSA (and similar approaches), which is probably the most common form of public key cryptography in practice, the private key is two large primes, and the public key is the product of those two primes.

Quote from: Joe on September 26, 2009, 10:00:55 PM
Don't you work for an internet security company? :P

The innards of cryptography is a rather small subset of what internet security is about...

iago · September 27, 2009, 11:55:30 AM

Quote from: Sidoh on September 27, 2009, 11:42:28 AM
SSH is a probably special case, but the standard public key model is the sender encrypts the message with the recipient's public key. A message can be decrypted using the private key corresponding to the public key that encrypted it. "Double encryption" probably means that the traffic is encrypted both ways.

Typically, encryption using public/private keys is rarely done, because it's computationally expensive. What happens in SSH/SSL/etc is that the client/server use public key encryption to exchange a session key (and as of SSHv2, it's done in a way that isn't vulnerable to man-in-the-middle attacks; I don't know the details), and that session key is used for symmetric encryption (AES or something).

Quote from: Sidoh on September 27, 2009, 11:42:28 AM
The innards of cryptography is a rather small subset of what internet security is about...

Exactly. On a day-to-day basis, I need to know how to use encryption properly, but I don't necessarily need to know how it works (I trust very smart people like Bruce Schneier and the RSA folks to understand that kind of stuff. :) )

iago · September 27, 2009, 12:57:33 PM

So it turns out that the old PoS computer I grabbed to run this on won't boot with a USB keyboard, and I don't own a PS/2 one. Oops. :)

I'm thinking of running this on my old laptop now.. I know it can handle it, and it's not doing anything else. We'll see! I suddenly got really busy again. Bah!

rabbit · September 27, 2009, 01:30:57 PM

Quote from: iago on September 27, 2009, 12:57:33 PM
So it turns out that the old PoS computer I grabbed to run this on won't boot with a USB keyboard, and I don't own a PS/2 one. Oops. :)

I'm thinking of running this on my old laptop now.. I know it can handle it, and it's not doing anything else. We'll see! I suddenly got really busy again. Bah!

http://www.google.com/products/catalog?q=usb+to+ps/2+adapter&hl=en&cid=8787340792746948795&sa=title#p

iago · September 27, 2009, 02:29:00 PM

Now that you mention it, I have several of those in a drawer. I only have two keyboard/mouse sets, though, and both are wireless. It's worth a try, anyways.

If not, I'll just borrow a PS/2 from work. :)

iago · January 10, 2010, 01:42:54 PM

So yeah, I haven't forgotten about this, but I do apologize for the delay. Life's busy and all that, you know?

Anyway, this is all basically set up now. I was thinking, though, instead of doing a straight up competition, what if I give access to the virtual machines to people, give a brief lesson on a tool or two, then let you play around? After some practice, I can set up a proper "competition" for people. Would that work? And, is anybody still interested? :)

The only thing I have left to do is make an OpenVPN server. People who want to play will have to install OpenVPN on their workstation and connect to my server. From there, they will have access to the environment and can do whatever they like in the test network.

So yeah, anybody interested? :)

rabbit · January 10, 2010, 03:52:57 PM

I am.

Clan x86

News:

Hacking competition?

rabbit

iago

Joe

iago

Joe

iago

Joe

iago

Sidoh

iago

iago

rabbit

iago

iago

rabbit