

&lt;/CaptureTheFlag&gt; - janzer
https://stripe.com/blog/capturetheflag

======
pakitan
It would be nice if the CTF site could be kept alive (meaning you can still
solve the puzzles and move up in levels) for another month or so. Not as a
'competition', as it was, but just to allow more people to fiddle with it. I
got in late and couldn't afford to spend a whole day cracking but I'd love to
play some more if it opens again.

~~~
jurre
I very much agree, I didn't have enough time that week so I only got to level
5 but I would love to try and complete the rest of the levels!

------
dsr12
It was very well executed event. The levels were well designed and the
complexity increased at each level. I couldn't capture the flag ( got stuck at
level 8), but it was a week in which I learnt a lot. Kudos to the Stripe team
for organizing such an event.

------
jmilloy
To me, the chart-as-written says that the average time per level for people
who reached only level 7 was ~18h, and for people who reached level 8 was
~36h? That would mean level 8 took on average 8x36 - 7x18 = 162 hours to
complete...

Does it mean average total time, separated out by the max level reached (so,
level 8 took at least 36-18=18 hours on average, but probably more)? Or is the
level on the x axis mean "max level reached" for the number of people (dotted
line), but "level" for the average time, so that it's just directly 36h
average?

It's further complicated because the clock kept ticking even when people took
breaks to sleep and go to work, so I don't even know what to expect. To be
fair, it _has_ been ~360h since the competition began.

Someone help me...

~~~
brown9-2
It's a dual Y-axis chart.

~~~
jmilloy
Well yeah. But (apparently?) the x-axis label only pertains to one of the
lines (dotted), while the title pertains only to the other line (solid), but
inaccurately! Hence the confusion, and the question: Can you tell me which of
the the interpretations I suggested for the solid line, which may have an
_inaccurate_ title and _no_ x axis label, is correct?

------
noirman
I like it that they especially tailored this for newbie (like me). I learned
so much progressing the levels (from nothing). The people at #irc were super
helpful too (while not revealing the answer)

~~~
streptomycin
Well, there was plenty of answer revealing too..

------
mukyu
A collection of the level 8 solutions can be found at
[https://docs.google.com/spreadsheet/ccc?key=0AqPyYgZlFopxdHB...](https://docs.google.com/spreadsheet/ccc?key=0AqPyYgZlFopxdHBYSjJyY1V3dFdUN1hvMVB5cUU0Nnc#gid=0)

------
brunolazzaro
This was so much fun. Up to level 8 i really liked the challenges. Level 8?
Not so much, it was a bit silly and tedious. Level 7 was way better.

~~~
sanderjd
Wow, I felt the exact opposite! Level 8 was really fun for a bunch of reasons.
It seemed like a tricky, probabilistic timing thing (despite their many
statements to the contrary!) until the eureka hit and you saw the
deterministic way forward. Eureka moments like that are fantastic. It was an
attack I had never read about or thought about, but which (despite being
admittedly contrived) could plausibly exist in the wild. It required writing a
real program (which none of the others did). And most importantly, it was
awesome to see the numbers spin and lock into place, just like they do in the
movies :)

Level 7 (which I really liked too!) was boring compared to that - either you
knew about that specific hash attack or you didn't, and once you found out
what it was meant to be, you just had to modify some stuff in a python repl to
make it work.

------
aphrax
Is it still possible to work through the exercises or was it a time limited
thing?

~~~
jiggy2011
You can get the source:

[https://github.com/stripe-ctf/stripe-
ctf-2.0/tree/master/lev...](https://github.com/stripe-ctf/stripe-
ctf-2.0/tree/master/levels)

Don't know if it's dependant on any particular server config though. A VM
Image might be nice.

~~~
darklajid
You should be able to run most challenges just fine, I guess.

Dependencies are noted per level and easy to get on most systems, I assume
(i.e. python or ruby plus some extras. 4/6 need phantomjs as well for the
bot).

I really think VMs (or even a single one) would be overkill.

------
daniellockard
I was very happy when I finally completed it :) Excited to get my shirt.

------
grandpoobah
If only I'd known about the SHA1 padding thing :(

~~~
krisoft
I've heard about that on HN. In the article referenced here:
<http://news.ycombinator.com/item?id=910203>

