One T. G. Reaper issued a challenge to comp.os.linux.advocacy. The
challenge ran as follows:
A specific person was asked to run a binary executable file containing one
or more "exploits" of the Linux operating system and attendant tools,
applications, servers and the like. The actual content of the executable
was unknown to the "victim" and in fact, remains uknown to anyone but T.
The conditions were fairly simple: run the exploit until it exits or
aborts, on a stock or reasonably stock Linux machine for which no
particular security measures were taken - that is, no file alteration
monitoring, no anti-virus software, no "hardening" and so forth; a system
essentially out of the box, although (presumbaly) updated versions of
software, bug fixes, patches and the like could be applied. The
application should be run in your normal user account.
Of the (at last count) 7 Linux machines participating in the challenge, 5
were immune to the exploits, 1 suffered demonstrable failure and 1
suffered results which do not appear, at this point, to indicate a success
but which T.G. Reaper assures us were a successful exploit - a claim which
cannot be verified without either external evidence of this or access to
the source code, which would at least tell where the various logged
messages occured in relation to successful or failed hacks.
So we have either 5 or 6 out of 7 machines being immune to T.G. Reaper's
exploits and either 1 or 2 being susceptible. This gives us a certain,
albeit minimal, metric for our next phase.
Our next phase consists of supporting the claim made by T.G. Reaper, to
wit, that Linux is _not_ more secure than Windows. This means that Linux
can be at best _as_ secure, although his comments strongly suggest he
regards Linux as being less secure.
Thus we propose to do exactly what he did, but for Windows boxes. That
is, I will put up a web page containing an exploit binary of unknown
contents. Said binary should be run on any released 32-bit version of
Windows - 95, NT, Me, XP, whatever. It should be run in the user's normal
user account, without anti-virus, file alteration monitoring, or other
security software in place, nor other security measures apart from a
firewall (if necessary) and any patches/fixes/updates to the software
which are available, if the user chooses.
The application should be run until it exits, until it aborts, or until
the challenge is complete, whichever comes first. It will log all its
results to a file, which can subsequently be mailed to the challenger
(i.e. me), whence it will be put on the website.
Once the challenge is complete, the results will be tallied and posted,
whatever they show.
Side note: the deliverable will likely be a .zip file consisting of
several files; the user is expected to unzip them and run the executable
from the directory into which it was unzipped.
This challenge will commence with the uploading of the exploit to the web
site and run for approximately 48 hours; a notice will be made first when
the site is selected and subsequently when the exploit file has been
uploaded, which will commence the 48-hour countdown.
Any and all are welcome to participate, but only the first 1,000 returned
responses will be recorded; I don't need to be swamped with thousands of
So, the question before us, then, is this: can a Windows system, without
any security measures beyond a firewall, resist such an exploit or series
of exploits? Can Windows in fact do this with a success rate of better
than 5 in 7 machines?
Only time will tell. However, there is one caveat to all this: since it
was T.G. Reaper who posted the initial challenge, set the initial rules
and deployed the original binary, the entire challenge is contingent upon
his willingness to run the exploit on his system, under these conditions,
just as we did on our systems.
Given that we are taking steps to support _his_ claims about Windows
security, it is only reasonable to expect him to step up to the plate to
help out. While any and all are welcome to participate, unless _he_
agrees to participate, the largest impetus of the challenge, namely to get
him to put up or shut up, is missing and the challenge will not proceed.
Will he step up to the plate? Or will he dodge?
Managed Migration from Windows to Linux