
'; CREATE TABLE `Capture the Flag`;' -- Stripe's Web Security CTF is Live - CD1212
https://stripe.com/blog/capture-the-flag-20
======
tptacek
Shameless: Enjoying this challenge? You'd enjoy working with us. We're hiring
in Chicago, in Mountain View, and in Manhattan. This stuff is our day-to-day,
plus reversing, custom protocols, tool development, and exotic applications.
If you've never done appsec work professionally, but find these challenges fun
and straightforward, we'd love to talk to you:

We've hired more people off HN than from any other vector.

www.matasano.com/careers

(Or, you know, ask Stripe for a job. I'm sure they're hiring too!)

~~~
gtank
Matasano also likes interns! I worked with them for the past two summers and
can't say enough good about the experience. You will learn (or get to
practice) the things tptacek mentioned above as well as web apps, mobile,
ruby, a staggering amount of crypto, and whatever else you find interesting to
work on or ask about. If you're into this stuff, check them out!

------
cperciva
Shameless, following tptacek and borski's examples: Having fun finding broken
code? Want to get paid without going to the effort of writing exploits? You
might want to look at the Tarsnap (or scrypt, or kivaloo, or spiped) code and
see if you can win some bug bounties: <http://www.tarsnap.com/bugbounty.html>

(Or, you know, ask Stripe or Matasano or Tinfoil Security for a job. They'll
pay you far more than you'd ever get from Tarsnap's bug bounties.)

------
david_shaw
Disclaimer: _Also shameless_

A lot of people have fun with this kind of challenge, as well as network
security in general. Over 10,000 people went to DEFCON this year (I've seen
estimates between 13,000 and 16,000). Hacker IRC rooms are constantly buzzing.
Security is fun, and while building software is immensely satisfying, so is
breaking it.

So why is the information security industry so tiny?

For one, it's competitive, but I think that many, _many_ qualified security
guys don't realize that there's a thriving industry around this kind of stuff.

If you want to work in security, these CTF-style challenges are a great way to
show that you're self-motivated and clever. I'm always hiring application
security engineers, and honestly it's pretty difficult to find people who are
new to the field. People seem to either have a decade of experience and bounce
from company to company, or no experience at all and assume that they "aren't
good enough."

If a company can't take some raw talent and refine it, they don't deserve raw
talent in the first place. We call that training.

If you like this kind of stuff, apply at Stripe, or Matasano, or Tinfoil
Security -- or even my engineering team at Redspin. If you mention "HN" or
"Hacker News" in an email to jobs at redspin.com, I'll know exactly where you
came from :)

PS: Redspin hires all kinds of security engineers, from policy & procedure
specialists to network infrastructure guys to appsec experts. It's better to
apply and have a conversation than to be too afraid to try!

------
borski
Shameless, ala tptacek: Enjoying this challenge? We do similar things on a
daily basis over at Tinfoil Security. We develop tools to attack websites in a
lot of similar ways to this Stripe CTF. We're hiring in Palo Alto, and even if
you've never done appsec work before, we'd love to chat.

<https://www.tinfoilsecurity.com/jobs>

(Or, you know, ask Stripe or Matasano for a job. They're both crazy awesome,
have a ton of respect from me, and are also hiring.)

------
oacgnol
Huge kudos for the design of the site - it definitely gives off a Tron-like
feel. I can't imagine the attention to detail to what amounts to just a game.

~~~
ceejayoz
> I can't imagine the attention to detail to what amounts to just a game.

Game, marketing exercise, recruitment tool.

~~~
grey-area
It serves an important purpose for them no doubt, but it is surprisingly
polished and addictive. Just shows you that it's worth putting time into
perfecting even activities which might seem peripheral - I'll bet they'll find
some good people via this game (the ones who finished it really quickly and
with clever solutions).

I'm totally stuck on Level 7 after getting some waffles and have no time to
continue though, oh well.

~~~
robflynn
You nailed it on the addictive bit. I got home from work around 6pm and
started the game. I glanced at the clock after a bit and realized it was
almost 2am. Oops!

------
pc
My favorite part is watching the captures in real time at <https://stripe-
ctf.com/leaderboard>.

~~~
ceph_
Looks like someone has found the egg.

~~~
scoot
Easter-egg? There's menu link on every the main page.

~~~
scoot
That was in English when I thought it :-)

------
gibybo
I was looking forward to verifying the P = NP proof on level 3, but sadly I
don't have access to DARPA’s 1000-node testbed, nor does my phone have any
optical storage space. Sigh :(

Anyway, love the challenge, the attention to detail is awesome :)

------
elliottcarlson
Definitely wish time wasn't a factor - on Level 3, but just don't have the
time to commit to it :/ Maybe later tonight

~~~
eli
Ditto. I would totally spend a few hours on this if I didn't have work to do
:/

Maybe after you complete a level you could get the choice of "Pause the game"
or "give me the next challenge" ?

~~~
collision
Don't worry -- even if you don't get to play this week, we'll be releasing the
levels afterwards so you can run them yourself at home.

------
jewel
It seems like no matter what screen name I pick, the settings claim that it is
unavailable.

~~~
gdb
Fixed! Sorry about that.

~~~
saurik
I put my screenname in, had not checked "show...". Then, I went back to check
that, and now am getting the "screen name is unavailable" error.

~~~
gdb
This is what I get for editing code on the fly. Should be really fixed now.

~~~
d3ad1ysp0rk
Unit tests! ;)

------
LinXitoW
This is suprisingly fun. At first, you feel like a badass, reading the
documentation for every function call, googling for exotic bugs. Then you feel
like a total idiot when you notice how simple it actually is. Finally, you
laugh at people in the IRC because you know exactly how stupid they feel.

~~~
eli
Yeah... I can't believe I spent time looking for something wrong with the HMAC
used for session cookies. Also, I'm pretty sure I solved #5 the "wrong" way
since it didn't actually involve the hint they gave.

~~~
A1kmm
I didn't use the Level 2 server for #5 either (although I did for #8) - so I
suspect that many people solved it the same way.

------
citricsquid
I really enjoyed this until I got stuck on level 3. I have a bunch of ideas
about what the solution might be but I'm not good. Are there any websites with
challenges similar to this that are more geared towards someone that isn't so
great at this sort of thing? A "beginner" at security stuff?

~~~
gdb
You may want to check out the Reading Materials section on <https://stripe-
ctf.com/about>.

------
FuzzyDunlop
Stopped at level 3, for a break, and because I couldn't see the exploit so
easily. But still, amazing site design and great fun.

Would love to sit down with it for a bit longer and crack on.

------
mycodebreaks
I finished first three levels. I will continue with the rest tomorrow.

I think if they didn't provide code, it would have been really difficult. Is
everyone feeling same way?

------
citricsquid
unrelated to the game, but on the social network question:

> $url = "<https://upload.wikimedia.org/wikipedia/commons/f/f8/> .
> "Question_mark_alternate.svg";

can't someone edit the image on wikipedia and change the image displayed to
everyone else here -- or is the wikimedia image system only accessible by
admins?

~~~
sirn
[http://commons.wikimedia.org/wiki/File:Question_mark_alterna...](http://commons.wikimedia.org/wiki/File:Question_mark_alternate.svg)

I believe it is very editable once login.

------
spydum
Seriously love this ctf, the style and everything is quality. Hope I have some
more time tomorrow to slash away at it. THANKS STRIPE!

------
1qaz2wsx3edc
What scares me about this is they want you to authenticate via github with an
app that's going to be hacked at.

Is this not dangerous?

~~~
gdb
We just ask for your publicly readable profile information. For exactly that
reason :).

------
daniellockard
Gah, I'm stuck on level 4. I've never really dealt with security in ruby /
sinatra / sequel applications.

~~~
alttag
... Yeah, me too. If you check out the "about" page [1], there's IRC info at
the bottom [2], so there may be hints there.

1: <https://stripe-ctf.com/about>

2: irc://irc.stripe.com:+6697/ctf

Edit: the IRC helped. the issue isn't ruby, sinatra, etc.

~~~
kanzure
I was stumped by disbelief. Well, now I know that Stripe isn't lazy.

------
0x0
Is the "502 bad gateway / nginx" page after signup submission part of the
challenge?

~~~
siddarthcs
Sorry 'bout that: scaling issues. Should be fixed now!

~~~
0x0
In now, thanks! :)

------
brendonjohn
I'm now really looking forward to work finishing for the day. The first thing
I did was email all the developers at work and challenge them with a race to
the finish :p ....I'm a grad halfway through my year of QA.

------
axisK
Have had a lot of fun with this so far even though I'm only at level 4, kind
of went off on a tangent on level 3 and after getting a partial solution I
realised that there was a much easier way of approaching it

------
madsushi
I can't wait until the very last challenge just says: "SURPRISE, you typed in
your password when you started this event, which is the most common way that
someone's password will get stolen."

~~~
ceejayoz
I just authenticated with Github (public info, read-only).

------
suresk
Don't know if I'll have time (or the skills) to finish Level 8 (it looks
pretty intense), but the other levels were a lot of fun. This was done really
well - thanks for doing it!

~~~
A1kmm
Level 7 is actually harder technically than Level 8, although Level 8 had
problems at their end when there were too many people trying for it,
overloading the Level 2 and Level 8 servers and making it hard to get a
successful exploit. Once they fixed that, it was easy.

------
brown9-2
The public URL for the Secret Safe given to me in Level 0 doesn't actually
return a response when I get request it, the connection just sits open - is
this expected?

~~~
gdb
Nope -- scaling issues. Should be fixed now.

~~~
jgeralnik
The site's down again. 502 Bad Gateway.

------
grandpoobah
Level 2 is just giving me timeouts. Joined IRC channel to report bug, and
somebody gave away the answer for level 2. Bummer, I had been enjoying myself.

------
heywire
Aww, I wish I had the time to participate this time. I had a blast with the
first one! I proudly wear my stripe ctf shirt :)

------
robflynn
Thanks for the great game, Stripe guys. There were a lot of fun challenges and
I learned quite a few things in the process!

------
alpb
Title of this HN post is great example of how to get attention of hacker
minds.

------
Bootvis
WOW, that went better than expected. tptacek can expect an e-mail ;)

------
caseyp
Just finished level 8!

------
jtokoph
I wonder when level 4 will be back up.

------
frederico
love it! bummed different parts keep going down; although I'm sure servers are
getting slammed :)

------
daniellockard
Woo, Finally got level 8

------
strags
Level 3 timing out :(

~~~
hellopat
I'm having this issue as well.

------
homakov
extremely awesome. just what i like

------
ansi
Thanks!

