Somebody set up us the [fork] bomb
February 23, 2012 7:59 AM   Subscribe

Just one problem: the hacking game has been hacked, with something called a fork bomb.

"Hacked" to me would be if someone figured out how to gain control of the system beyond what was expected in the contest. This is just a simple DoS based on the fact that the system allowed arbitrary code to be executed. In this context it's closer to griefing than hacking, in that they ruined it for everyone else by making it impossible to play the game.
posted by burnmp3s at 8:08 AM on February 23 [19 favorites]

I say give them the prize. Costing millions of dollars in lost transactions is at least as bad (for the company) as leaking private data.

You can begin Stripe's CTF challenge by running ssh level01@ctf.stri.pe from your shell and entering the password e9gx26YEb2.

Wait....they let you just ssh in? Never mind, that's just stupid.
posted by DU at 8:10 AM on February 23

I think it's worth pointing out that the fork bomber is Ted Dziuba, who folks might remember from the now dead Uncov. He has a reputation.

He also claimed responsibility on Twitter.
posted by cvp at 8:11 AM on February 23 [2 favorites]

This does not instill confidence in Stripe. Perhaps this is the real value of wargames - companies that are trend-hoppers who lack the ability to implement basic safeguards will immediately be outed.
posted by allen.spaulding at 8:11 AM on February 23

Let's call it 'grieking' then.
posted by spicynuts at 8:12 AM on February 23 [3 favorites]

> Costing millions of dollars in lost transactions is at least as bad (for the company) as leaking private data

I don't see anything affecting their production systems at all, this is just their non critical sandbox machine they are encouraging people to hack into.
posted by mrzarquon at 8:13 AM on February 23 [7 favorites]

That phrase is beautiful: fork bomb. I'm imagining an updated technopunk version of the garden of the forking paths.
posted by dhruva at 8:14 AM on February 23 [2 favorites]

DU: "I say give them the prize. Costing millions of dollars in lost transactions is at least as bad (for the company) as leaking private data.

You can begin Stripe's CTF challenge by running ssh level01@ctf.stri.pe from your shell and entering the password e9gx26YEb2.

Wait....they let you just ssh in? Never mind, that's just stupid."

It's not like this is one of their secure servers. I wouldn't be surprised if it were on another network entirely.

burnmp3s: "
"Hacked" to me would be if someone figured out how to gain control of the system beyond what was expected in the contest"

Agreed. Like any hack writer, I was going for a headline that would sell papers.
posted by Deathalicious at 8:14 AM on February 23 [3 favorites]

spicynuts: "Let's call it 'grieking' then."

intentional anagram of krieg?
posted by symbioid at 8:15 AM on February 23

Deathalicious: " As a result of the ongoing forkbomb(s) on the Stripe server, it's impossible to log on, let alone play. The team at Stripe forgot the first rule of security: never trust the user."

So Dziuba's a troll.
posted by zarq at 8:17 AM on February 23

: ( ) { : | : & } ; :
I would not call this elegant. Terse certainly. Using : as a function name is deliberately obfuscatory. I like the substance of it though.
posted by shothotbot at 8:19 AM on February 23 [4 favorites]

As a result of the ongoing forkbomb(s) on the Stripe server, it's impossible to log on, let alone play

As a result of the ongoing forkbomb(s) on the Stripe server, it's impossible to log on, let alone play with the VM that was set up for the game. I'd agree that this is closer to griefing than anything else - not playing the game, and not doing any damage aside keeping other people from playing the game.

Still, fairly inevitable.
posted by dirtdirt at 8:21 AM on February 23 [1 favorite]

They should have set up user process limits correctly. Not a huge deal, they can just bring the VM back up in single user mode and set up the limits correctly.
posted by Ad hominem at 8:24 AM on February 23

I don't see anything affecting their production systems at all...

That wasn't my point. My point is, they want to demonstrate they can't be taken down. They were taken down. The game is over. The fact that they weren't taken down the way they wanted to be is irrelevant. That's not how security works. Obviously a hacker isn't going to take the hardest route deliberately.
posted by DU at 8:24 AM on February 23 [5 favorites]

allen.spaulding: "This does not instill confidence in Stripe. Perhaps this is the real value of wargames - companies that are trend-hoppers who lack the ability to implement basic safeguards will immediately be outed."

Well, it's tricky. You want to give people credentials to get in, but ulimit, the traditional forkbomb defencse, only restricts running processes by user. So you can use ulimit, but you'll also restrict the number of simultaneous players to where most will be unable to determine the difference between the server being forkbombed and working as intended.

But yes, as a payment processing system trying to show off how great their security team is, this is an oversight. I'm thinking some kind of autoprovisioning via PAM might have worked, but you'd probably have to custom write that, which automatically means it'll be hacked in short order.
posted by pwnguin at 8:24 AM on February 23

Furthermore, the response to the tweet taking responsibility is also relevant: We've been bumping our rlimits to allow more people in, but it seems we made them too high :).

Yep. Business dictates often do render your security useless. If Stripe were smart, they'd learn from this.
posted by DU at 8:26 AM on February 23 [1 favorite]

My point is, they want to demonstrate they can't be taken down.

No they don't. Read the article. The point is of the game is to seize sensitive data. Maintaining the integrity of customer (credit card!) data is MUCH more important to them than maintaining constant uptime.

DOS is not achieving the goal, it's just being a dick to the other players.
posted by chundo at 8:28 AM on February 23 [14 favorites]

That wasn't my point. My point is, they want to demonstrate they can't be taken down. They were taken down. The game is over. The fact that they weren't taken down the way they wanted to be is irrelevant. That's not how security works. Obviously a hacker isn't going to take the hardest route deliberately.

Unauthorized Access != Taken Down.

Remember that Sony fiasco a while back where the accounts of PS3 users was accessed, including credit cards? Yeah, that is a lot more serious than a DDoS. A DDoS is a lot less of a PR disaster than leaked credit card information, and I doubt the final cost is anywhere near the same.

So no, I don't think they deserve the prize.
posted by mysterpigg at 8:30 AM on February 23 [2 favorites]

> My point is, they want to demonstrate they can't be taken down.

No, I think they want to demonstrate that they can't be compromised. Right now this is just indistinguishable from bad development code put into production, any change management process would let them revert to prior builds and start over.

Hitting max threads on the CPU and making them reboot the server doesn't accomplish much. From a security standpoint it is pretty much useless since: A) they know what you are doing and B) they can lock you out in a second anyway (I'm guessing they are leaving this server up as part of the challenge / game).

Now if they are rebooting the server and the fork bomb keeps coming back after they've halted ssh and it appears that the system is actually rooted, then that is something.
posted by mrzarquon at 8:30 AM on February 23 [1 favorite]

The point of the game is privilege escalation. The fork bomb is basically a DoS attack. It's pretty weak; it's like being challenged to a game of Scrabble and flinging the pieces on the floor and claiming that you've 'won'.

The ability to lock up a machine, given SSH access to a user account, is not that interesting. It's certainly not equivalent to surreptitiously gaining access and then leaving, which is a real risk and what the game is all about.

What Stripe probably needs to do is create a bunch of user accounts for people who want to play (i.e. generate them on demand) and then limit the resources that each account can consume, to keep one player from just locking up the machine for the other players in a fit of assholery. Right now since it seems they have all the players sharing one account, it's tougher to enforce limits.

Fork bombing was a pretty lame script-kiddie trick back in the days of shared-resource Unix machines (especially academic ones, where you might not have tight per-user CPU limits because occasionally users really did need a lot of CPU); I'm simultaneously tickled and annoyed that it seems to have been brought back for an encore. People who used to do that ... ugh, rage.
posted by Kadin2048 at 8:33 AM on February 23 [7 favorites]

My point is, they want to demonstrate they can't be taken down. They were taken down. The game is over. The fact that they weren't taken down the way they wanted to be is irrelevant.

I don't think that is really the point of this game at all. You could take down almost any server with a DoS attack. Even with the process limit issue fixed, it would be trivially easy to hammer the SSH server with enough traffic to make it impossible for genuine users to log in to play the game. And the game they created is obviously beatable, the concept of it is that it's difficult but not impossible to work your way through the game and win. It's a game that encourages people to think about security exploits, not a challenge to break an unbreakable system.
posted by burnmp3s at 8:35 AM on February 23 [3 favorites]

I came expecting the Kobayashi Maru, but all I got was someone peeing in the pool.
posted by helicomatic at 8:42 AM on February 23 [14 favorites]

Someone go back in time and tell Tim Berners-Lee while the pornography aspect is nice, the fact the Internet provides assholes with an open mic negates the benefits.
posted by yerfatma at 8:44 AM on February 23 [3 favorites]

Seems like they have already spun up new VMs a couple times.

Exhausting the resources on a machine isn't much more than a speed bump for any well architected application these days. This isn't the olden days, these days it is easy just to bring up a new VM if you are getting pounded.
posted by Ad hominem at 8:46 AM on February 23

A strange game. The only winning move is not to let others play. How about a nice game of 3D chess.
posted by It's Raining Florence Henderson at 8:46 AM on February 23 [3 favorites]

Hitting max threads on the CPU and making them reboot the server doesn't accomplish much. From a security standpoint it is pretty much useless since: A) they know what you are doing and B) they can lock you out in a second anyway (I'm guessing they are leaving this server up as part of the challenge / game).

Maybe. It doesn't achieve a goal on its own but it's certainly possible you could use a technique like this as part of a larger attack. The simplest example I could think of is if a business had a procedure in place to continue operation while their credit card clearinghouse is down, a very reasonable contingency.

If you discovered that a business selling high ticket items or easily re-sellable items coped with such outages by simply approving all charges under $x dollars then you could exploit that with a DoS.

Or perhaps you discover that Stripe, in an effort to protect their business, approves all charges up to $x dollars during an internal outage. They might take that on as a business risk because they believe that the dangers of losing consumer confidence outweigh the cost of eating a small percentage of transactions which will later turn out to be denied. But if you're stacking the deck with bad transactions then you change that calculation.

I think this exploit is an interesting and good one. Not because it necessarily gets at the point of the exercise but because it generates this conversation. And the conversation about the trade-offs of security - and the costs and which ones are too high to be worth bearing and which ones are societal/ego vs financial - is what I think is often lacking.
posted by phearlez at 8:48 AM on February 23 [2 favorites]

My point is, they want to demonstrate they can't be taken down.

No. They want to demonstrate customer data is safe. Uptime is an important security concern, but maintaining control of your data is more important.

More to the point, they expect to be hacked. This is why they're offering a T-shirt instead of a big-money bounty - a honeypot as a marketing gimmick. The point of the exercise is to see how attackers handle a system similar to the one they've got - learning that they're exposed to unexpected DOS attacks means the contest is paying off for their security team already.
posted by Slap*Happy at 8:56 AM on February 23 [2 favorites]

That wasn't my point. My point is, they want to demonstrate they can't be taken down. They were taken down. The game is over. The fact that they weren't taken down the way they wanted to be is irrelevant. That's not how security works. Obviously a hacker isn't going to take the hardest route deliberately.

First rule of network security - if someone has shell access to your machine, you're probably screwed. In this case, they gave everyone shell access (as part of a security game where the entire point of the game was to circumvent security checks and escalate their privileges). This wasn't a hack! It's akin to graffiti. Any dipshit grief'er with a c compiler and a Google search can build a program that will loop infinitely and eat resources. That doesn't mean they're a hacker, or that this company has lax security.
posted by Fidel Cashflow at 8:56 AM on February 23 [1 favorite]

So, they expected hackers to follow the rules, and do what they want them to do? This reminds me of the Millennium Challenge 2002 US war game embarrassment debacle. Not in the sense of the surprisingly effective methods of Gen. Van Riper, but in the series of naive assumptions made by people who run the games about how the games were going to be played. They fully expect their own side to win, or if they should lose, it would be through a known weakness, not because of an exploit of a blind spot in not only their defenses, but their own expectations about who and what their 'enemy' is.

This griefer, if that is really all his plan entails, shows that the company has yet to fully understand all the threats out there. They are expecting a thief to test their lock (only because they are confident in their locks), but instead someone has blocked off access to the lock, either for lolz, or a clever trick to both make the locksmiths look bad and make the competition go away so that he can focus on the server himself. Just because you've spent millions on home security, doesn't mean someone can't just cover your house in gasoline and burn it down. To some, the destruction of a prize is more fun than winning it. The failure to recognize this type of attack as a possibility is a weakness, and it was exploited.
posted by chambers at 8:58 AM on February 23 [1 favorite]

This griefer, if that is really all his plan entails, shows that the company has yet to fully understand all the threats out there. They are expecting a thief to test their lock (only because they are confident in their locks), but instead someone has blocked off access to the lock, either for lolz, or a clever trick to both make the locksmiths look bad and make the competition go away so that he can focus on the server himself. Just because you've spent millions on home security, doesn't mean someone can't just cover your house in gasoline and burn it down. To some, the destruction of a prize is more fun than winning it. The failure to recognize this type of attack as a possibility is a weakness, and it was exploited.

So the fact that someone can burn down your house means that you have shitty locks on your doors? Does the fact that no possible improvements to those locks will prevent someone being able to burn down your house mean that you think it's pointless attempting to improve lock technology?

Your own analogy refutes your argument.
posted by yoink at 9:01 AM on February 23 [8 favorites]

Anytime someone can run arbitrary code on a machine, the machine is no longer under your control.

On preview, what Fidel Cashflow said.
posted by k5.user at 9:04 AM on February 23

This griefer, if that is really all his plan entails, shows that the company has yet to fully understand all the threats out there.

Good lord, nobody fully understands all the threats out there. Security is an iterative process, just like everything else in IT.
posted by Slap*Happy at 9:04 AM on February 23 [2 favorites]

So the fact that someone can burn down your house means that you have shitty locks on your doors? Does the fact that no possible improvements to those locks will prevent someone being able to burn down your house mean that you think it's pointless attempting to improve lock technology?

It means you look into fireproofing the outside of your house, in addition to the expensive locks. Security is only as good as your list of possible threats.
posted by chambers at 9:07 AM on February 23

This reminds me of the Millennium Challenge 2002 US war game embarrassment debacle.

You clearly don't have any idea what went on during MC02. I was a core developer on the simulation software that ran MC02, and I've been involved in over a dozen Naval training and experimentation events. I left comments in another thread about why Van Ripper's words shouldn't exactly been taken at face value.
posted by Fidel Cashflow at 9:07 AM on February 23 [2 favorites]

Anytime someone can run arbitrary code on a machine, the machine is no longer under your control.

They gave the users the ability to run perl as part of the contest. The contest was whether they could elevate rights, not whether they could crash the box, which is trivially easy to do.
posted by empath at 9:13 AM on February 23

So the fact that someone can burn down your house means that you have shitty locks on your doors? Does the fact that no possible improvements to those locks will prevent someone being able to burn down your house mean that you think it's pointless attempting to improve lock technology?

If you advertise the fact that you've left a house open wide for criminals to come in and try and bust open the safe in the bedroom, and someone burns the house down, maybe it wasn't a very good PR stunt.
posted by iotic at 9:15 AM on February 23 [1 favorite]

They probably should have given every login their own VM to stop one person from crashing the contest for everyone, though. Seems kind of dumb to put them all on the same box, since you have to expect that people are going to try stuff like buffer overflows which are pretty likely to cause crashes and so on.
posted by empath at 9:16 AM on February 23

It means you look into fireproofing the outside of your house, in addition to the expensive locks.

To be safe they should unplug the server from the internet. Totally secure!
posted by chundo at 9:26 AM on February 23 [1 favorite]

The way you prevent this sort of crap in the real world is that you don't let random people have shell access. It's widely considered that once someone has that, they've already compromised nearly all of your security anyway.

But for the purposes of the competition, they gave people a shell login. That's because it's a game. If it wasn't a game, then it's highly unlikely that someone whose idea of lulz is executing a fork bomb would ever make it that far in. So, doing so doesn't really demonstrate anything important.

The lockpicking contest analogy is a good one; it's like the manufacturer of a new lock letting people line up to try and pick it, and having some jackass shove chewing gum in there. It doesn't prove anything -- everyone knows you can shove gum in there, which is a pain in the ass to clean out but doesn't open the lock. It's not telling anyone anything that they didn't already know. Of course you can do that; the question is, can you figure out a way to open the door?

Again, this is nothing more than somebody throwing the pieces to the game on the floor and claiming that they 'won.' It's lame, but one hopes that Stripe continues anyway, because privilege-escalation attacks are neat stuff. They're sort of like endgames in Chess; the goal is set (root, or some other privileged account), as is the defining start condition (unprivileged shell access), but getting from one to the other is worthy of study.


Somewhat related: several years ago, I believe Microsoft (?) had a similar attack-the-box competition, except that they had the target machine set up in such a way that it basically killed itself and rebooted to a clean state whenever it detected an intrusion. It was considered pretty inelegant, but underlines the idea that there are more important considerations for a secure system than remaining 'up' -- it's better to go down secure than stay up and be compromised.
posted by Kadin2048 at 9:42 AM on February 23 [6 favorites]

Christ, what an asshole.
posted by spitefulcrow at 9:56 AM on February 23 [1 favorite]

It doesn't prove anything -- everyone knows you can shove gum in there, which is a pain in the ass to clean out but doesn't open the lock. It's not telling anyone anything that they didn't already know.

I still think it's their fault for setting up the contest in a way that this was possible, and I don't blame the guy for doing it.
posted by empath at 10:02 AM on February 23

I still think it's their fault for setting up the contest in a way that this was possible, and I don't blame the guy for doing it.

How exactly would one set up a system that would allow a user to run arbitrary code, and yet at the same time prevent the arbitrary code from effecting the stability of the platform? You can virtualize it away all you want, but at the end of the day you've still got a user on your system that can control resources. There isn't really much that can be done about it.
posted by Fidel Cashflow at 10:06 AM on February 23

...at the end of the day you've still got a user on your system that can control resources. There isn't really much that can be done about it.

There are actually a number of mitigation strategies. Whether it still allows the game to go forward, as these can put a crimp in an attacker's toolkit, remains to be seen, but I'd be surprised if it didn't.
posted by Slap*Happy at 10:14 AM on February 23

If you isolate each user on their own VM, all they can do is fuck up their own instance. They won't cause very much disruption to the contest-- all they've accomplished is stopping themselves from winning.
posted by empath at 10:15 AM on February 23

If you isolate each user on their own VM, all they can do is fuck up their own instance. They won't cause very much disruption to the contest-- all they've accomplished is stopping themselves from winning.

The VM is still pulling system resources from the actual hardware. The only benefit is that you can restore from a save point, and you've shard'ed up your system so not everyone will be swamped by one VM's business. But if you've got enough VMs running on a small enough CPU, you're going to have issues with one rouge VM competing for resources amongst the others. You've still got to administer it either via an automated method, or via a manual method. I don't think it solves the overall problem.
posted by Fidel Cashflow at 10:21 AM on February 23

It means you look into fireproofing the outside of your house, in addition to the expensive locks. Security is only as good as your list of possible threats.

Except that we don't, do we? That's my whole point. Locks are designed to prevent certain kinds of incursion and not others. A lock hasn't failed if someone paints graffiti on your walls. A lock hasn't failed if someone sticks a dead animal in your crawlspace. A lock hasn't failed if someone runs a hose into your chimney. The fact that locks do not prevent all possible forms of attack doesn't prove that locks are pointless and nor does it mean that a competition designed to improve the design of locks is a waste of time.

If you advertise the fact that you've left a house open wide for criminals to come in and try and bust open the safe in the bedroom, and someone burns the house down, maybe it wasn't a very good PR stunt.

No, it just means that some asshole arsonist misunderstood the point of the challenge. Nobody who says "hey, I think I've designed a pretty good safe--want to see if you can break it open" is also claiming "I've designed a safe that fireproofs the house it is in." And guess what, if the safe is still locked, burning the house down didn't defeat the safe.
posted by yoink at 11:07 AM on February 23 [5 favorites]

yoink: "So the fact that someone can burn down your house means that you have shitty locks on your doors?"

No, but the fact that your IT security dept cares more about local privilege escalation than DoS might be a problem if you want a payment network that's immune to Anonymous.
posted by pwnguin at 11:37 AM on February 23 [1 favorite]

No, but the fact that your IT security dept cares more about local privilege escalation than DoS might be a problem if you want a payment network that's immune to Anonymous.

Sigh. Nobody was claiming that they had build a DDoS-proof network. Heck, they weren't even claiming a hack-proof network (the point of the game was to see which exploits would work not to show off impregnability). The fact that servers are vulnerable to DoS is trivially true, did not need to be demonstrated and bears no relationship to what this game was about.

And, finally, what this fork bomb did was shut down the game; it didn't shut down the credit-card processing servers. Just because I smashed your garden shed rather than solve the crossword puzzle you'd left in it for me doesn't mean either that I can solve crossword puzzles or that I can smash your house.
posted by yoink at 12:04 PM on February 23

...want a payment network that's immune to Anonymous...

I want a pony and a payraise, and that ain't happening anytime soon, either.

This isn't a test of network security (which is what deals with LOIC and the like) but of systems security.

So, you have your ISP, and they should be running their own security measures - that's the first line of defense. Then you have your network boundary stuff - five flavors of firewalls, load balancers, NIDS - and then your internal network stuff - VLANs, VRFs, ACLs more IDS - More firewalls (application specific) - and then you get to the internet-facing server.

This "war game" cuts out everything from between the ISP to the server. It's emphatically not a reflection of their real-world security.
posted by Slap*Happy at 12:14 PM on February 23 [6 favorites]

This kind of educational hacking challenge is pretty common - see http://www.hackthissite.org/ for example. Breaking them so people can't play isn't some kind of sneaky way to win - it's just a dick move.
posted by xiw at 1:57 PM on February 23

That phrase is beautiful: fork bomb. I'm imagining an updated technopunk version of the garden of the forking paths.

I think you just described Grant Morrison's interpretation of Darkseid's Omega Sanction.
posted by jason_steakums at 2:15 PM on February 23

From the Stripe post announcing this contest: "The hardest part of writing secure code is learning to think like an attacker." The Stripe system hasn't been hacked; it's just been the victim of a really tedious DOS attack. Yawn.

If Stripe were smart, they'd learn from this.

Well, since that's the self-stated point of the game, I'm pretty sure they will. Certainly, Stripe is very, very smart; it is the brainchild of brothers John and Patrick Collision, who are terrifyingly smart.
posted by DarlingBri at 3:55 PM on February 23

It would be amazing if they were the Collision Brothers, but they're the Collisons. :P
posted by Drexen at 4:28 PM on February 23 [1 favorite]

Yeah. I have been having this problem with their name for about five years now. I'm going to have to make them t-shirts or something... :)
posted by DarlingBri at 4:45 PM on February 23

Maybe the most elegant fork bomb is :(){ :|:& };:

I've always liked the "Swedish Chef" version, myself:

for(fork(); fork(); fork()) fork();
posted by sourcequench at 5:47 PM on February 23 [5 favorites]

the moral of this story:

this is why anyone with an actual business to run uses braintree, wepay, or (sigh) paypal
posted by Señor Pantalones at 10:24 PM on February 23

sigh. No, this is why we can't have nice things.

This was a puzzle game. Like the wooden one where you make a cube out of the pieces. It had multiple levels. And prizes. (Probably a job offer at the end too - this is like the brain teasers that Google-et-al have, but far more job related.)

That's all. Well that, and someone shit all over it. That someone's also proud that they're able to poop.
posted by fragmede at 11:12 PM on February 23 [2 favorites]

I had an extremely interesting evening with one of the founders of Stripe. Don't underestimate these guys as random yutzes jumping on the bandwagon. There's no more dangerous web game in the world than trying to move money without losing your shirt. Very large companies have lost...so much.

Anyway, they're bright guys. The founder said he'd do something at that meeting, and two months later, it was in fact done (at some risk, even). OK then.
posted by effugas at 2:49 AM on February 24 [1 favorite]

Maybe we should give them a bit of credit: perhaps they were expecting that there'd be not one but several or many winners, and they are ready to engage with some or all of them.

From my brief time around the business, most screen-printing shops will have a minimum order size for a batch of t-shirts. So unless the proffered reward is some sort of hand-painted, Williamsburg Special Snowflake Edition then there is a cardboard box of fifty-some shirts behind the desk of the Square, Inc. marketing person.

If so, then this suggests that they are prepared for more than one report, and I take that as a very good sign.
posted by wenestvedt at 7:03 AM on February 24