Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Root for everyone

By kaworu in MLP
Wed Nov 22, 2000 at 11:25:33 PM EST
Tags: Internet (all tags)
Internet

I started a project called openroot, where people who (a) want to learn how to administer a unix system, (b) experiment, or (c) do whatever they want, (but nothing destructive), are given the root password to a box on my network. You can find out more at the openroot website.


ADVERTISEMENT
Sponsor: rusty
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
comments (24)
active | buy ad
ADVERTISEMENT

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o openroot
o Also by kaworu


Display: Sort:
Root for everyone | 25 comments (19 topical, 6 editorial, 0 hidden)
You forgot (d) (3.00 / 4) (#3)
by whatnotever on Wed Nov 22, 2000 at 05:29:30 PM EST

(d) do whatever they want (anything)

You can't possibly expect that people won't abuse this. ... you don't... right?

Rather interesting idea (4.50 / 4) (#4)
by Pac on Wed Nov 22, 2000 at 05:29:52 PM EST

Let me rewrite it just a little bit:

I started a project called openhouse, where people who (a) want to learn how to administer a house, (b) experiment, or (c) do whatever they want, (but nothing destructive), are given the the keys to my house. You can find out more at the openhouse website.

:)

But seriously now, I would really be interested in the outcome of your experiment. I also hope you are aproaching it as both a network security and a sociological experiment. You will certanly learn about both fields.

Evolution doesn't take prisoners


Too many chefs... (5.00 / 3) (#5)
by ucblockhead on Wed Nov 22, 2000 at 05:31:56 PM EST

I'd worry about what happens when you've got ten people on there, all screwing around with root type stuff. Even assuming that all are honest and want to learn, I can see it quickly becoming confusing, especially if a couple of the roots start screwing around with the same stuff.

The thought is a good one, but in practice I see a lot of problems. What might be better is a sort of "root simulator", in which people have a virtual Unix system, but one that is actually completely separate (and perhaps one of many running on some box somewhere.)

You might also want to seriously consider some sort of registration procedure, perhaps as simple as giving out the password in an e-mail rather than on the site. Otherwise, you may find yourself flooded with looky-loos who log in, do a couple of commands, and then leave, never to come back. (Like I did.) I just hate to think what'd happen to your poor box if it ended up on Slashdot's front page!

-----------------------
This is k5. We're all tools - duxup
openroot / security issues (4.50 / 4) (#7)
by kaworu on Wed Nov 22, 2000 at 05:51:39 PM EST

I would like to address some of the questions. I know it's kind of stupid to think people would not abuse the system, but, it's still a great opportunity for the majority of people who wish to learn.

The openroot site needs some work, i'll probably work on a e-mail script soon, and an updating message board. Where people can post how they changed or updated the system.

Hope this helps.. :) Thanks!

The dangers involved... (5.00 / 1) (#10)
by whatnotever on Wed Nov 22, 2000 at 06:09:06 PM EST

I see you updated the site explaining that if someone screws it up, it's not a big deal. But there's more than that.

Two things I can think of off of the top of my head are:

1) People can install packet sniffers, etc. Getting root on one machine in a network makes it a lot easier to get into the others. I hope your security is good on your other machines.

2) They might use it as a platform for attacking other machines. This is a good way for *you* to get in trouble. You'll need to keep logs of all traffic (on another machine, of course) if you want even slight protection against this.

Maybe you knew that already (in which case I think you're somewhat insane), but I'm just making sure you know the possible consequences. It's a great idea, but I can't see it working out, realistically.

[ Parent ]
precautions (4.50 / 2) (#11)
by kaworu on Wed Nov 22, 2000 at 06:17:31 PM EST

I've took some precautions. I run a switched network, and openroot is divided into its own subnet. You're right though, it might not work, but it's worth a shot anyways. As for people using that box for an attack launching platform, I've done some things to hinder that possibility... hopefully they'll work. :-) Thanks for the advice.

[ Parent ]
Huh, yeah. (3.50 / 2) (#12)
by whatnotever on Wed Nov 22, 2000 at 06:28:11 PM EST

Been poking around a little, and yeah, it isn't quite as bad as I thought. I don't know too much about these things, though, so there are probably some holes...

And I've just been reading up on sniffing on a switched network. Mind if I try some of my newfound l33t 5killZ? :-)

And you mention setting up a webserver as a possible project, but that couldn't be done without some assistance from you, correct?

Ooh! Johnzo just made himself an account! This is fun! :-D

[ Parent ]
m3 = ! ( 1337) (none / 0) (#18)
by johnzo on Wed Nov 22, 2000 at 10:31:26 PM EST

Unfortunately, that's about the extent of my 5killz. Whatever wankery happens on that box, you can bet it wasn't me.

zo.

[ Parent ]

This is not real, isn't it? (3.16 / 6) (#9)
by recursive on Wed Nov 22, 2000 at 06:02:05 PM EST

You heard about all the tricks root can do to leave back-doors in a system? That's why you build up a system from scratch after it was compromised. I really hope that you just want to make us believe that we could gain root access that easily and it's a sandbox for a little experiment how people react. User Mode Linux might be the right toy for this.


-- My other car is a cdr.


Pretty good idea... (4.00 / 5) (#13)
by loprox on Wed Nov 22, 2000 at 06:35:20 PM EST

Only problem is that there is obviously some kiddie that will get in there and screw things up... better get a good backup and be prepared to go back to if often ! What could also be cool is getting a bunch of people and getting them to each have a part in building the server.. more work for you (you have to coordinate) but people learn more and would stop kiddies from ruining everything... Keep up the good work man !


You mean... meatloaf is made with... MEAT?
What about this? (4.25 / 4) (#14)
by tweek on Wed Nov 22, 2000 at 06:53:34 PM EST

I like the idea in all honesty. The best way to go about this though is to install vmware and run several small virtual machines for people to access. You lock down the host box as tight (as much is possible with x running) and go to town. IIRC, there is nothing in the vmware license that prevents you from doing this. The only issue is that you'll need to segment those virtual machines off from the main network somehow so that they can't be used to cause damage to it.

All in all a good idea but it needs work. Don't let difficulty get in theway of altruism though.


Some people call me crazy but I prefer to think of myself as freelance lunatic.
vmware (3.00 / 1) (#15)
by kaworu on Wed Nov 22, 2000 at 07:03:56 PM EST

I plan on beginning to do this. In the meantime, have fun on my p75.

[ Parent ]
I know a guy who knows a guy, who.... (3.50 / 2) (#16)
by delmoi on Wed Nov 22, 2000 at 07:33:52 PM EST

Well, this is all hearsay, but a frend of mine has a frend who works at a major university. They just got a big-iron mainframe, and their actualy going to to run Linux on it, but not just one instance...

They're actualy thinking of giving everyone at the school root access to their own virtual linux box, one that can go as fast as a mainframe if it has to....
--
"'argumentation' is not a word, idiot." -- thelizman
Abuse of the privilage - maybe not (4.00 / 2) (#17)
by Smiling Dragon on Wed Nov 22, 2000 at 09:42:27 PM EST

I started to write this as an answer to someone's comment but then figured it would be better here as many people have made much the same point: that some twit will come along and ruin it for the others buy playing at master hacker.

You know who your users are. You only allow console and su access to root. You syslog to a separate host.
At regular intervals you make a dump of modification times for system files and sched files (/etc/passwd, cron and at are good starts) and make frequent backups.

Someone trying hard could hide their tracks pretty well but you would be able to narrow it down fairly well. I'm not sure _I'd_ screw up a box when there is a reasonable chance the owner will not only know that I did it but who I am.

About the biggest worry I'd have is that the entire host would need to be extremely untrusted or, better yet, on a network isolated from your main network (firewall etc). NFS is always a bastard when you can't trust all the hosts on your net.

Go for it! You are doing a Good Thing and I wish you the very best of luck with it. :)

-- Sometimes understanding is the booby prize - Neal Stephenson
You need a big firewall (4.66 / 3) (#21)
by Paul Crowley on Thu Nov 23, 2000 at 07:32:29 AM EST

Please, for the sake of all other users of the Internet, put this thing behind a firewall that entirely blocks *outbound* TCP connections. And blocks nearly everything else you don't explicitly want to allow, including all incoming connections that don't go to specific approved ports.

The havoc that could be wrought with a box like this is more than I can list. Spammers will set it up as an open mail relay and pump spam through it. Irate IRC people will launch DOS attacks. Web forums like kuro5hin could be subjected to floods of messages from anonymous sources. I could go on.

Block everything you don't explicitly mean to allow. And in particular, block TCP packets with the SYN bit set.

This will also mean that installing a sniffer on the box won't do any good.

I don't think this would be a complete solution to the security problems this box raises, but it's a basic starting point.
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
Password changed (1.66 / 3) (#22)
by jamiemccarthy on Thu Nov 23, 2000 at 09:17:38 AM EST

It's now just about ten hours after this story was posted on kuro5hin, and the password for openroot is no longer the empty string.

One more experiment in faith, R.I.P.

Hello? Are we forgetting something? (3.00 / 1) (#23)
by balls001 on Thu Nov 23, 2000 at 10:01:52 AM EST

Anyone can go install Linux on their machine and a) learn how to administer a unix system, b) experiment and c) do whatever they want, destructive or not. This was nice like 4 or 5 years ago when Linux wasn't as widely available and everyone was on a 14.4, but then everyone would have just ran Nukebots. But these days you can go install Linux on your Windows drive, use LOADLIN or something similar, or you can run Win9x and Linux (or any other OS, for that matter) in parallel using VMWare or a free alternative.

So what exactly was the point of that exercise, other than to create a massive glut of insecurity?

motd (none / 0) (#24)
by enterfornone on Thu Nov 23, 2000 at 07:00:15 PM EST

Sorry, couldn't resist that one. I agree this is sort of pointless, but as long as the box is properly isolated from the rest of the network and there's nothing important on it then it probably isn't a big deal.

Check out r1r2.com. These ppl have set up two cisco routers that you can telnet into and play around with.

--
efn 26/m/syd
Will sponsor new accounts for porn.

Get over yourselves.. (none / 0) (#25)
by Chiron on Fri Nov 24, 2000 at 11:54:14 AM EST

I modded this one up a couple days ago, then went off to hunt for some turkey.. It's just something amusing he appears to be doing, and a way to burn a bit of time and some disused hardware. It's not like he's putting some enterprise class machine up capable of DoS'ing an f500 site.

I think it's a nice way to waste a holiday, and more power to Kaworu for being bored enough to do it. Now, could all of you tut-tutting about 'How you're gonna get 0wN3d' get over yourselves? I'm pretty sure he already knows it's going to happen.

Root for everyone | 25 comments (19 topical, 6 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!