Security Assignment -- Cops and Robbers

For this assignment, each group will have two roles. One role is, as the rest of the term, maintain their systems. The other role is to become `crackers' targeting a single, assigned machine as their target.

Grading will be done as follows:

The admin group starts out with 100 points; by expoiting security holes, the crackers can `steal' these points according to the following table:

50
root passwd
25
root access
10
System user passwd (i.e. bin, daemon)
5
normal user passwd
-10
Admins identify cracker
2
crashing machine
10
describe how you could destroy OS or vital data/config files
-50
actually doing it (and you get to reinstall it!)

Unsuccessful attempts at any of the above (for either side) will garner partial credit. Keep exact records.

Bonus points will be given for ingenuity (for both sides) in approaches to this situation. Try a variety of approaches. Using the same approach many times will not get as good of a grade as several appraches to the same problem.

Both sides must keep a detailed log of what was done or noticed. This log must be turned in, along with a summary of successes/attempts.


For the Crackers:

Keep your identity as a cracker secret. More importantly, keep your target machine secret.

As you can see above, any willful destruction of data such as to disable the machine will harm your grade. Keep backup copies of important files and binaries that you change.

Cracking machines outside your target machine will not be counted. If the machine is outside of the pool of machines for this class, you will be penalized. This includes running cracking tools on main CS servers, such activity should only occur on class machines.

Note that a password cracker should not be run on any regular CS machines.

Turn in:

A summary of your activity, with attention drawn to your successes.


For the Admins:

To be successful in this, you must take a proactive approach. You must try to prevent intrusions from happening in the first place. However, you should not cause undue inconvenience to the users (i.e. do not turn off everbody's account).

As a group, develop a security plan, which, at minimum, should contain the steps you will take to prevent intrusions (i.e. install npasswd), and what your goals will be when intrusion occurs.

Turn in:

Your security plan A summary of your activities. All logs of your activities.


trent...