1. What distro did you use? Could you explain the setup?
The distro used was
Adamantix 1.0.4 (Kudos to the Adamantix team!).
The Challenge server (PIII 600 Mhz 128 MB RAM) was connected to the Internet through a bridge (Compaq P4 2.2 Ghz 256 MB RAM) set up using
Honeywall. The bridge did the packet capturing, outbound traffic rate-limiting, etc.
There wasn't any firewall. Neither the Challenge server had any read-only mounts.
2. Why do you guys do this? Is it a publicity stunt?
Most of the security/break-in challenges are sponsored by companies to test/market their products. What we intended was to put an Open source project as the victim and give enthusiasts across the globe a chance to test their skills and to try out their exploits. And to share the lessons thus learned with the community. We neither claim that the system used is our product or it's an uncrackable system.
This event was featured in several news portals, local news papers, blogs, discussion groups, and mail lists. While we enjoyed the publicity it brought in more and more contestants and turned it into an interesting one.
3. Do you expect that someone will try a ``0-day'' on your [Challenge] server?
No.
4. If it's contest, there must be a prize.
Not really necessary in all cases. We had over 10,000 (based on unique IP addresses) participants. They took up the challenge just because they were passionate about it.
5. You guys suck! You gave a login which doesn't work.
What we released was the ROT13 (that was the twist) of the original login. If you couldn't make out that, assume that you simply didn't qualify for the challenge.
The given ROT13'ed login name was ``haavxhggna'' which can be decrypted to ``unnikuttan'', the name of a popular Malayalam cartoon character.
6. nmap returns ``connection refused''/``filtered''. Your [Challenge] server seems to be behind a firewall.
There was no firewall. This is how nmap would report if you run it against a server which is under (D)DoS attack (the Challenge server was overwhelmed by port scans, brute-force attacks, etc. most of the time).
7. If nobody could break-in, will you claim that you have the hardest distro?
No. A break-in contest is probably not a way to prove that.
8. What will you do with the packet capture [data]?
We will analyze it when we get some free time. We will be happy to post here any analysis done by you too.
--
