We hear it too often, so I decided to write this post. Yes, in Codility you can run code that reads the file called '/etc/passwd' and displays its contents, so what? You may be tempted to think that this is a real password file of one of our servers, and that you can crack our root password, take over our servers and finally hack your Equi score to '100%'. Sorry, two wrong assumptions. This is not a real password file, and even if it was, it contains no password hashes.
The code submitted by candidates runs in an isolated environment and we made sure this "reactor" has really thick walls, to prevent infiltration and to contain explosions of fork bombs and the like. Interestingly, it turns out that some runtimes refuse to work inside our reactor if they don't see /etc/passwd file around (why? we wish we knew). We had to put a dummy /etc/passwd inside, which once in a while ignites so much excitement. We had so many false alarms ("I can read your passwords!" "Are you sure?..." "Absolutely, I am hacking you now" etc.) that we finally inserted a discouraging note into our dummy /etc/passwd to cool the attackers down...
Thursday, May 20, 2010
I am hacking your /etc/passwd!
We hear it too often, so I decided to write this post. Yes, in Codility you can run code that reads the file called '/etc/passwd' and displays its contents, so what? You may be tempted to think that this is a real password file of one of our servers, and that you can crack our root password, take over our servers and finally hack your Equi score to '100%'. Sorry, two wrong assumptions. This is not a real password file, and even if it was, it contains no password hashes.
The code submitted by candidates runs in an isolated environment and we made sure this "reactor" has really thick walls, to prevent infiltration and to contain explosions of fork bombs and the like. Interestingly, it turns out that some runtimes refuse to work inside our reactor if they don't see /etc/passwd file around (why? we wish we knew). We had to put a dummy /etc/passwd inside, which once in a while ignites so much excitement. We had so many false alarms ("I can read your passwords!" "Are you sure?..." "Absolutely, I am hacking you now" etc.) that we finally inserted a discouraging note into our dummy /etc/passwd to cool the attackers down...
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment