The Zone Cell Challenge by Evan B. '10
Why work when you can hack other people's servers?
There are lots of things I should have been doing this weekend. There’s the 8 page draft paper that was due today. Or the 6.004 lab where I have to program a Turing machine – it’s due Thursday. Or the revision of my design project which is due on Thursday (I actually still don’t know what design I’m going to write up). Or either of the psets in my other two classes which are both due on Friday.
Yes, the weeks before Spring Break tend to suck. Like, not just your average suck. They tend to really suck. And with that much suck, I should have spent all weekend tooling and doing nothing else.
But of course that’s never how it works.
Last weekend, I took the Zone Cell Challenge.
Now, this is going to require a little background. Actually, there’s quite a bit of background. Back In The Day, the MIT I/S Department (now IS&T) hired student developers to basically help build Athena. They were called the Watchmakers, based on a book by Niven & Pournell (there’s a page that explains the metaphor). The Watchmakers worked in the Watchmaker Zone, and to help them test, debug, and generally try to break the technologies they were developing, I/S donated three servers, which formed the ZONE Kerberos realm and the zone AFS cell.
Ok…I guess I should take another step back and quickly explain Kerberos and AFS. Kerberos, named after the three-headed dog guard of Hades (usually seen as the Latin Cerberus), is a protocol for mutual authentication of a client and server through a trusted third party. Basically, you can prove who you are to other computers on the network, and your password never has to cross the network unencrypted. This works because there’s a single machine that all other computers on the network trust, called the KDC. Kerberos is broken up into “realms,” which represent distinct sets of users and servers. The normal realm here on campus is the ATHENA.MIT.EDU realm, but there are also the CSAIL.MIT.EDU, MEDIA-LAB.MIT.EDU, and NUMENOR.MIT.EDU realms.
AFS is the Andrew File System. Developed at Carnegie Mellon, AFS is a network accessible file system. It’s a way of accessing your files from any computer on the Athena network. AFS is broken up into “cells,” and there are many more AFS cells than there are Kerberos realms. Like Kerberos, there is an athena.mit.edu cell. There are also csail.mit.edu and numenor.mit.edu cells. However, there is additionally, for example, the sipb.mit.edu cell, run by the SIPB. This allows SIPB to maintain its own servers and software and allocate quotas without having to go through the Athena maintainers.
So…in addition to all of those cells and realms, there’s the lesser known Zone Cell, made up of three servers (remember – they’re for the Watchmakers): casio, seiko, and timex. If you look in the Zone Cell, you’ll see a series of very explicit rules. I’ll copy some of the better ones:
- The Zone Cell is not for reliable data storage.
- The Zone Cell is not for reliable data storage. (in case you missed it the first time)
- ASO reserves the right to remove someone’s zone cell bits. Reasons
this may be done include: […] gratuitously compromising the security of the zone cell
or zone kerberos realm, or intentionally causing Rule 1, 2, or 10 to
become relevant. […] - The zone cell is not for reliable data storage.
- The zone cell is not for reliable data access.
So…now that we’ve established the reliability of the Zone Cell, what is the Zone Cell Challenge?
The Zone Cell Challenge is an event that is usually for people interested in becoming SIPB AFS administrators. It’s designed to help people become more familiar with how AFS and Kerberos work.
In the Zone Cell Challenge, you start with root access to one of the three Zone Cell servers, and you have to accomplish three things. First, you have to give yourself root access to the other two Zone Cell servers. Second, you have to make yourself an administrator of the Zone AFS Cell (which is different from having root access on the servers!). Finally, you have to make yourself an admin of the Zone Kerberos Realm, which gives you permission to change other people’s passwords or create new accounts.
It actually turns out that none of these tasks are particularly challenging if you read the right documentation. And since I was interested in learning more about how to administer AFS, I signed up for the Challenge on Friday night. And at about 3:45 AM, I actually started trying to hack the Zone Cell in earnest.
The first part is easy, once you find the right command. It took me about 30 minutes to gain root access on all three servers.
And then, almost immediately after I had logged in to all three to make sure it worked, all of them froze. And they stopped pinging.
Well…crud. What did I screw up?
Well, fortunately, I didn’t screw anything up. The Zone Cell servers had been moved to virtual machines, and all of the virtual machines on one server froze, including casio, seiko, and timex. Fortunately, there were other VMs on that machine that people cared about, and one of the Athena server maintainers brought the servers back up.
One task down, two to go.
Before about 6 AM I managed to finish the second task – making myself an administrator of the Kerberos realm. I went to sleep, and when I woke up, I spent a couple of hours on the last task. The last task was also a little entertaining. I had a theory of how to make myself an AFS administrator, but I was worried that I would screw up the AFS users database. So I asked on the zone-cell zephyr class (kind of like a chatroom)
Me: Ok. I think I know what I want to do […], but I’d like to check and make sure I’m not going to screw it up before I try. Anyone around?
Someone from Athena server ops: I think you should just risk breaking it. At worse, you’ll just have to fix it after the fact
Well…ok? I guess I’ll just back up the files I’m modifying…
Anyway, I can’t really say much more, because where’s the fun in saying what I did? But in any case, hacking other people’s servers with permission is a really fun way to spend a weekend.
But I guess I should go back to tooling now…
Hmmm
That’s quite interesting to hear. So how do you know that you are the first one to do that? And can you tell the strategy to all of the problems as I don’t know how to do any of it.
Akshay – what do you mean? People take the Zone Cell Challenge regularly. When I took it I was the only person taking it, though.
In terms of how to solve the challenge, it’s not hard – it’s mostly about reading the documentation for the tools related to AFS and Kerberos. I can’t really say much more past that, though!
Evan, this is really cool. I just love this kind to learning experience because you learn more by doing the stuff than taking exams.
Since you must’ve had many such opportunities, this entry springs up a question in my mind: if you were to pick one such project/assignment/etc.. as your favorite, which one would you choose? ^_^
Ohhh!!!
I thought that many people take that up as the Mystery hunt during the IAP.
Still it is quite interesting that you can do it by reading the documentation and then modifying it in the correct manner. I would love to do that and learn how to hack and then take this challenge on but for that I need an admission.
I have a question regarding the admission process:
I was rejected from the class of ’12, but I’m going to apply again for ’13, and I was just wondering if the following scenario will hurt my chances:
The Armed Forces in my country have chosen to draft me for one year beginning in January 2009 – which means that I cannot enroll at any university before september 2010, which again leads to me having to apply for a “gap year” if I’m accepted to any Class of 2013.
But that will be a two-year period when I’m not enrolled at any school (I graduate from HS this summer) on my application.
My plan right now is to take the first half-year until I enroll in the Army to travel abroad and work to gain some money for education, and then spend the half year after I return doing just about the same.
Will these “years of doing nothing of significance academically” hurt me?
Thanks.
Hi, Eirik –
The admissions office is used to seeing weird schedules, especially from international students. I wouldn’t worry about it – do what you’ve gotta do.
– Evan
Sounds fun to me. Two summers ago I went to the (possibly last session of) the National Youth Leadership Forum on Technology at the San Jose Fairmont. Honestly a lot of it was kind of lame, but I had a lot of fun in the “Network Security Challenge Lab” .. A linux lab with a lot of contrived cracking scenarios. It was lots of fun
… The End.
~Donald
Nice, Evan! w00t for course 6! haha. Athena seems like quite a nice setup. I read some user instructions a while back and it appeared nicely. Have a great week!
So did you finish the final part of the challenge?