[Warhaven]

For all your aspiring Kevin Mitnicks:

http://www.hackiis6.com/

Have fun!

[Mithras]

Wow, I totally thought this was spam.
Anyway, that's a pretty cheap prize for what presumably could be a very lucrative skill.

[Person Man]

Originally Posted by Mithras

Wow, I totally thought this was spam.
Anyway, that's a pretty cheap prize for what presumably could be a very lucrative skill.

What? This is Microsoft we're talking about here... Or did they make IIS 6 a real "Fort Knox?"

[Link]

I bet that'll last no more than a day or two.

[GSixZero]

Originally Posted by Person Man

What? This is Microsoft we're talking about here... Or did they make IIS 6 a real "Fort Knox?"

I think you under estimate Microsoft. Yes their products aren't bullet proof, but very often that has to do with user error and misconfiguration. Will I'm sure they'll give away some xboxs, it's I don't think it's going to be a free for all.

[Person Man]

Originally Posted by GSixZero

I think you under estimate Microsoft. Yes their products aren't bullet proof, but very often that has to do with user error and misconfiguration.

True enough, but Microsoft shares the blame for the misconfiguration just as much as user error does. They typically have so many services enabled by default for "convenience," and "just in case someone needs it" that the users sometimes overlook them because they don't know what they are... "well, if it's on I must need it or it will break if I turn it off..."

I will be surprised if Longhorn ships with ALL unnecessary services off by default, like Mac OS X, leaving people to turn on only what they need...

[ghporter]

MS has gotten much smarter lately. They DO turn off almost everything by default. The new XP firewall is CLOSED by default, and the user has to open ports to do anything but basic surfing-while there are exploits that use port 80, the basic user is not likely to run into them on a Home Shopping Network page.

Here's an example relating to IIS 6:

Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server.

That leaves little to be desired-out of the box IIS 6 lets a remote user look at pictures, read text, and follow links. Not much of a risk there, eh? There's more:

Each additional Windows Server 2003 and IIS 6.0 component is configured with the most restrictive possible security that will allow the component to still function. However, in providing any functionality, there is still an opportunity for potential attackers to exploit any weakness of the component.

MS puts the burden of which components to select on the user, and the documentation (some people DO read documentation) tells the user specifically what the known risks are and how to minimize them.

Sure, it took them a long time to figure this out, but they did figure it out. And considering that there are apparently at least as many IIS servers out there as Apache servers, this is important.

Anyway, offering a cool gaming console as a prize to attack a particular server in order to test it is interesting. I wonder if they'll get enough qualified hackers to give it a try. Maybe there are enough people skilled enough to attempt this that still want an XBox to make the contest worthwhile. We shall see.

[olePigeon]

Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server.

Only took them 10 years to figure that one out.