

Coming soon: Stripe CTF3, distributed systems edition - gdb
https://stripe.com/blog/ctf3-coming-soon

======
orf
The last stripe CTF was amazing, I managed to be one of the first hundred or
so to get to the last stage but got utterly stumped by it. The solution
involved tracking the incrementing port numbers of a Linux server as a kind of
side channel attack to bruteforce a password if I remember correctly - a very
interesting puzzle.

The whole thing was very fun, I highly recommend anyone interested in security
to give it a go. The XSS challenges were also cool: they ran a headless webkit
browser to emulate a user so your XSS code actually did something.

~~~
reginaldo
The last stripe CTF literally changed my life. I've always been interested in
security but didn't have the confidence and honestly thought I didn't have it
takes to be successful in the field. I decided to try the CTF anyway just for
fun and was able to finish everything much to my surprise. I had read about
SHA-1 padding when it affected Flickr so I knew just what to do on the level
that involved SHA-1 padding, which I thought was the hardest.

When I came to HN and saw a lot of people I admire talking about how hard it
was, especially daeken [1], I remember thinking something along the lines of
"well, I thought it was hard but not _that_ hard", and decided to try to find
a few security bugs in open source software... Best thing I ever did... In
just a few weeks I found some nice bugs on both Drupal and Wordpress, got the
first CVE credited to myself, and then I started to have fun (and some profit)
with the various bug bounty programs around the web, most notably those run by
Google (I'm currently 0x05 overall) [2] and Facebook (7th) [3].

After a year doing security work on the side I was able to quit my day job
last august and now I make my living basically as a security consultant and
also as a "bounty hunter". I also got multiple job offers from US companies (I
currently live in Brazil).

And all of this happened only because the stripe CTF gave me the confidence to
actually follow my dreams. Oh, and I still don't know if I have what it takes
to be really successful in the field, but frankly security bugs are everywhere
so I go ahead and keep on finding them. I'm learning a lot every single day
and the mean time between bugs is getting lower and lower, which is great. So
thank you Stripe. Thank you very much.

Shameless plug: BTW, I'm in the committee for the W2SP conference, so if
anyone has some interesting discovery to share, please submit a paper.

[1]
[https://news.ycombinator.com/item?id=4424299](https://news.ycombinator.com/item?id=4424299)
[2] [https://www.google.com/about/appsecurity/hall-of-
fame](https://www.google.com/about/appsecurity/hall-of-fame) [3]
[https://www.facebook.com/whitehat/thanks](https://www.facebook.com/whitehat/thanks)
[4] [http://www.w2spconf.com/2014/](http://www.w2spconf.com/2014/)

~~~
milesokeefe
>And all of this happened only because the stripe CTF

Well that and all of your hard work and talent.

------
darklajid
Amazing. I had a blast in the last CTF and the shirt is considered one of the
more presentable I own according to the wife.. ;-)

Thanks a lot for the work you put into these things!

~~~
1_player
Yeah, I have both and I love them, can't wait for the third T-shirt :)

------
wasd
I've got next to no experience with distributed systems. What sort of concepts
should I brush up on before next Wednesday?

~~~
joshschreuder
I had little to no experience in the last CTF and managed to progress through
roughly half the stages from memory. You can research as you go, and it's all
good fun.

------
patcon
Funny that they mention Bitcoin when Stripe doesn't publicly deal with bitcoin
yet...

~~~
e28eta
I think it's because it's a high profile distributed system. I bet there's a
problem that's similar to a toy bitcoin algorithm.

------
mcescalante
Very interested to see how this is structured and how it is going to work - it
sounds like this time around it is less about the competition piece, but still
leaves the opportunity for those who want to test their skills against others
to do so. Any way you slice it, it will be great to see what they've put
together.

------
bdr
I remember looking back on my 2012 and including Stripe's CTF on the list of
highlights. It was that fun.

------
joeblau
I'm to dumb to ever figure these things out, but I look forward to seeing the
challenges :).

------
pirateking
The last CTF was super fun. I have been waiting for this announcement, and am
happy to see it will be a whole new kind of game. I am sure it will be great
given the high production values of the last one.

------
spiderPig
Looking forward to this and curious how it's going to be structured (writing
clever state machines?). The last one was amazing (nice American Apparel
t-shirt too :-)!).

------
heywire
I love that Stripe puts together these competitions. I still wear my shirt
from the first CTF proudly :) I wish I had more free time to participate
again...

------
sprizzle
I like how CTF is becoming more educational and less of a hacking competition.
Can't wait to see what CTF3 brings.

------
dclara
Can you please show me the page where the "distributed systems" is about? What
I found is the "distributed search" page which restricted to a certain type of
document indexing algorithm. If this is all the competition about, please
don't mislead users that it is about "distributed systems".

------
paulcnichols
Super excited about this. CTF2 was a ton a fun. I also enjoyed the t-shirt.

------
mac1175
Nice! This should be fun!

------
Ryel
No event in NYC?

~~~
gdb
Nope, none planned. (We don't have any engineers based there.) I'd be open to
a community-organized event if someone's excited about hosting though — ping
me at gdb@stripe.com.

------
hydralist
any chance for a new programmer to take part?

~~~
gdb
Absolutely -- though experience will definitely help you if you want to
compete, we've tried to make the levels educational too. There'll be plenty of
pointers and hints, and there will be lots of people around IRC. There are
also IRL meetups if you're around SF, Boston, or London.

------
peterwwillis
Why is the valley crowd treating distributed systems engineering like it's a
new fad? And why are they only using tech made in the past 5 years? The field
has been around for four decades, yet they focus on only a couple algorithms
and models?

~~~
ash
What do you mean by new algorithms? The post mentions Raft and Paxos. Only
Raft is new. And Sebastian Kanthak said during his Google Spanner talk:

"Our Paxos implementation is closer to Raft algorithm than to what you'd read
in Paxos paper which is… horrible."

[http://www.infoq.com/presentations/spanner-distributed-
googl...](http://www.infoq.com/presentations/spanner-distributed-google)

~~~
peterwwillis
I didn't say new algorithms, but I see how my wording was weird.

