As I (and my now partner Eevee) race towards the level 8 finish line, I don't feel quite the same. I see us making limited progress and see the number of people finishing level 7 rising, haha. This is fun, though.
I've worked in/with security along these lines for a very long time. This CTF (particularly level 8) has been some of the most difficult stuff I've ever done. Thanks to Stripe for putting this together; if I wasn't already a customer, I absolutely would be now!
can't someone edit the image on wikipedia and change the image displayed to everyone else here -- or is the wikimedia image system only accessible by admins?
Huge kudos for the design of the site - it definitely gives off a Tron-like feel. I can't imagine the attention to detail to what amounts to just a game.
It serves an important purpose for them no doubt, but it is surprisingly polished and addictive. Just shows you that it's worth putting time into perfecting even activities which might seem peripheral - I'll bet they'll find some good people via this game (the ones who finished it really quickly and with clever solutions).
I'm totally stuck on Level 7 after getting some waffles and have no time to continue though, oh well.
You nailed it on the addictive bit. I got home from work around 6pm and started the game. I glanced at the clock after a bit and realized it was almost 2am. Oops!
Shameless: Enjoying this challenge? You'd enjoy working with us. We're hiring in Chicago, in Mountain View, and in Manhattan. This stuff is our day-to-day, plus reversing, custom protocols, tool development, and exotic applications. If you've never done appsec work professionally, but find these challenges fun and straightforward, we'd love to talk to you:
We've hired more people off HN than from any other vector.
www.matasano.com/careers
(Or, you know, ask Stripe for a job. I'm sure they're hiring too!)
Matasano also likes interns! I worked with them for the past two summers and can't say enough good about the experience. You will learn (or get to practice) the things tptacek mentioned above as well as web apps, mobile, ruby, a staggering amount of crypto, and whatever else you find interesting to work on or ask about. If you're into this stuff, check them out!
The public URL for the Secret Safe given to me in Level 0 doesn't actually return a response when I get request it, the connection just sits open - is this expected?
Shameless, ala tptacek: Enjoying this challenge? We do similar things on a daily basis over at Tinfoil Security. We develop tools to attack websites in a lot of similar ways to this Stripe CTF. We're hiring in Palo Alto, and even if you've never done appsec work before, we'd love to chat.
Shameless, following tptacek and borski's examples: Having fun finding broken code? Want to get paid without going to the effort of writing exploits? You might want to look at the Tarsnap (or scrypt, or kivaloo, or spiped) code and see if you can win some bug bounties: http://www.tarsnap.com/bugbounty.html
(Or, you know, ask Stripe or Matasano or Tinfoil Security for a job. They'll pay you far more than you'd ever get from Tarsnap's bug bounties.)
I really enjoyed this until I got stuck on level 3. I have a bunch of ideas about what the solution might be but I'm not good. Are there any websites with challenges similar to this that are more geared towards someone that isn't so great at this sort of thing? A "beginner" at security stuff?
A lot of people have fun with this kind of challenge, as well as network security in general. Over 10,000 people went to DEFCON this year (I've seen estimates between 13,000 and 16,000). Hacker IRC rooms are constantly buzzing. Security is fun, and while building software is immensely satisfying, so is breaking it.
So why is the information security industry so tiny?
For one, it's competitive, but I think that many, many qualified security guys don't realize that there's a thriving industry around this kind of stuff.
If you want to work in security, these CTF-style challenges are a great way to show that you're self-motivated and clever. I'm always hiring application security engineers, and honestly it's pretty difficult to find people who are new to the field. People seem to either have a decade of experience and bounce from company to company, or no experience at all and assume that they "aren't good enough."
If a company can't take some raw talent and refine it, they don't deserve raw talent in the first place. We call that training.
If you like this kind of stuff, apply at Stripe, or Matasano, or Tinfoil Security -- or even my engineering team at Redspin. If you mention "HN" or "Hacker News" in an email to jobs at redspin.com, I'll know exactly where you came from :)
PS: Redspin hires all kinds of security engineers, from policy & procedure specialists to network infrastructure guys to appsec experts. It's better to apply and have a conversation than to be too afraid to try!
I'm now really looking forward to work finishing for the day. The first thing I did was email all the developers at work and challenge them with a race to the finish :p ....I'm a grad halfway through my year of QA.
I was looking forward to verifying the P = NP proof on level 3, but sadly I don't have access to DARPA’s 1000-node testbed, nor does my phone have any optical storage space. Sigh :(
Anyway, love the challenge, the attention to detail is awesome :)
Have had a lot of fun with this so far even though I'm only at level 4, kind of went off on a tangent on level 3 and after getting a partial solution I realised that there was a much easier way of approaching it
This is suprisingly fun. At first, you feel like a badass, reading the documentation for every function call, googling for exotic bugs. Then you feel like a total idiot when you notice how simple it actually is. Finally, you laugh at people in the IRC because you know exactly how stupid they feel.
Yeah... I can't believe I spent time looking for something wrong with the HMAC used for session cookies. Also, I'm pretty sure I solved #5 the "wrong" way since it didn't actually involve the hint they gave.
79 comments
[ 5.1 ms ] story [ 151 ms ] threadI just made it to level 8 this morning and haven't a clue where to really begin with it.
It's definitely a lot of fun and has been an interesting journey for sure. Love little games like this.
Yeah it was pretty tricky but once you get down the approach it's not too bad. Took me awhile to realize what was going on.
> $url = "https://upload.wikimedia.org/wikipedia/commons/f/f8/ . "Question_mark_alternate.svg";
can't someone edit the image on wikipedia and change the image displayed to everyone else here -- or is the wikimedia image system only accessible by admins?
I believe it is very editable once login.
Game, marketing exercise, recruitment tool.
I'm totally stuck on Level 7 after getting some waffles and have no time to continue though, oh well.
Maybe after you complete a level you could get the choice of "Pause the game" or "give me the next challenge" ?
Is this not dangerous?
We've hired more people off HN than from any other vector.
www.matasano.com/careers
(Or, you know, ask Stripe for a job. I'm sure they're hiring too!)
https://www.tinfoilsecurity.com/jobs
(Or, you know, ask Stripe or Matasano for a job. They're both crazy awesome, have a ton of respect from me, and are also hiring.)
(Or, you know, ask Stripe or Matasano or Tinfoil Security for a job. They'll pay you far more than you'd ever get from Tarsnap's bug bounties.)
Would love to sit down with it for a bit longer and crack on.
A lot of people have fun with this kind of challenge, as well as network security in general. Over 10,000 people went to DEFCON this year (I've seen estimates between 13,000 and 16,000). Hacker IRC rooms are constantly buzzing. Security is fun, and while building software is immensely satisfying, so is breaking it.
So why is the information security industry so tiny?
For one, it's competitive, but I think that many, many qualified security guys don't realize that there's a thriving industry around this kind of stuff.
If you want to work in security, these CTF-style challenges are a great way to show that you're self-motivated and clever. I'm always hiring application security engineers, and honestly it's pretty difficult to find people who are new to the field. People seem to either have a decade of experience and bounce from company to company, or no experience at all and assume that they "aren't good enough."
If a company can't take some raw talent and refine it, they don't deserve raw talent in the first place. We call that training.
If you like this kind of stuff, apply at Stripe, or Matasano, or Tinfoil Security -- or even my engineering team at Redspin. If you mention "HN" or "Hacker News" in an email to jobs at redspin.com, I'll know exactly where you came from :)
PS: Redspin hires all kinds of security engineers, from policy & procedure specialists to network infrastructure guys to appsec experts. It's better to apply and have a conversation than to be too afraid to try!
Anyway, love the challenge, the attention to detail is awesome :)
1: https://stripe-ctf.com/about
2: irc://irc.stripe.com:+6697/ctf
Edit: the IRC helped. the issue isn't ruby, sinatra, etc.