11:18 PM | Permalink | Comments (0) | Trackbacks (0) | Computers and Internet
Hack IIS6 Contest Results
And the results are here!
Now, before I rant about this, let's answer what (and why) "Hack IIS 6" (
http://www.hackiis6.com) was (because it is no more)!
For several years now, Microsoft (and with it Internet Information Server [web server]) have been under a lot of FUD attacks. There is a myth (somewhat rooted in real security problems with earlier versions) that IIS is quite easy to hack into. So, people from Windows IT Pro magazine had created a "Hack IIS 6" contest: hack into IIS 6 and you could win X-Box!
Now - I was very interested in this contest, because this is kind of response I would give:
>Troll: Ha! 1 c4n h4ck m$ windoze joke of web server with my eyez c10sed in minutes!
megame: Here is the link. Do it and you get X-Box!
>Troll: Only X-Box? For cheap crap like that h4x0r does not want to dirty his p0rts with m$ bull…
This contest was criticized because:
• Server hack is limited in rules (as what constitutes as hack)
• Server is behind separate firewall (hardware? non-windows?)
• Site is too simple
• Read your heart out on Slashdot flaming link here!
However, this contest ended early because some thought that this contest does not prove anything and that is lowering sponsors and organizers to troll level. This is bad. If you’ve started thing like this you should have ended it, no matter what – this way it’s a joke. People are thinking that someone had hacked it. There should have been at least a page with explanation on “Hack IIS 6” site, not just turning off the server.
I’ve had to search and browse through many pages of blogs to find this explanation:
“The HackIIS6.com contest has ended. Penton publishing, the sponsors of the event - [as in NOT MICROSOFT], heard the many posts and comments publicly and privately that contests like this don't actually prove anything.
So Penton decided to end the contest early and I think rightly so. They simply turned the site off for a few days while they crafted a message about the changeup. It would have been best if they hadn't done things quite in that order, but that's what happend. The site was not hacked nor did it suffer a DoS attack.
I agree with Penton on this. This contest and others like it don't prove anything. If you want to show that IIS 6 is secure (or visa versa) do it with a record based on real world implementations, not unrealistic short term "hack me" events.”
