One question: for a less "just for fun" site like this, with no time barriers, how do you plan on dealing with people just following write-ups? You can randomly generate the flags, but people could still follow the steps. You can say "don't write write-ups," but write-ups will still be written ;)
It's hard for me to go into more detail on (d) without revealing a whole bunch of stuff about the game I don't want to talk about yet; I should be more comfortable talking about it, but until we announce it officially I have a lot more leeway to slip rev1 features. :)
The shortest simplest answer though is: we're a firm whose whole purpose is to make fun, interesting CTF-style games (well, one game; we're the Blizzard of CTFs, and we're building our WoW), so we can address a lot of these kinds of problems with brute force, because this isn't a spare-time thing.
If it helps to understand where we're coming from:
Chris Eagle, the author of The IDA Pro book, published an IDA Pro plugin for the bizarro-MSP430 that Microcorruption (our last CTF) emulates. There are tools with "microcorruption mode" in them because of all the little ways we broke MSP430. Someone wrote a symbolic execution engine to solve the Hollywood level on Microcorruption and posted it to Github. There is still a #uctf channel on Freenode for Microcorruption.
This. Is. Awesome. It is my favorite thing about Microcorruption.
We did practically nothing at all to foster a community for Microcorruption, apart from Erin starting the IRC channel. That's not an opportunity we are going to miss this time; in fact, doing better on the community and sharing side is part of the thesis of the company.
I reallllllllllllly hope people share code and tools and stuff to make progress in the game. How cool will that be?
This is great but I think the stakes are somewhat different if it's ostensibly about jobs/hiring. I don't recall the crypto challenges being promoted as a hiring mechanism (though they may have been useful for that).
I think we plan on making minimal demands of our users, and none of them involve grooming them for prospective employers.
Look, the reality is, most of the people who participate aren't going to be looking for a job when they do. So all our incentives are to make the experience itself rewarding to participants.
I'm weird about typing those words because very very soon we're going to actually ship the first rev and levels of this thing, and as anyone who ships software knows: right now, at this point in the release calendar, my instincts are to be LOWERING the bar, not raising it. :)
But that's the use from your (or Matasano's) perspective. I joined the crypto-challenges not at all because I want a job in security, but because I continuously heard people be super-enthusiastic about it (both the participants, as well as yourself, tptacek :) ), because it reminded me of the old Malattia+ 3564020356 puzzles (level 6!), because it seemed more fun than the Euler Project puzzles (which I did enjoy, but you can only solve so many palindrome prime puzzles before it gets tedious) and of course because I would learn things about practical crypto.
Unfortunately I only got halfway the first set of the Matasano challenges, but that was more because I did it in Python and at some point got frustrated by its lack of speed :) (even using NumPy) I did make a rather elegant English-text MLE detector using a log-probability frequency table of only 256 bytes :) I thought that was pretty cool. I might have another go at it and this time use Java instead.
>most of the people who participate aren't going to be looking for a job when they do.
This is weird, and I'm sensing some miscommunication between you and patio.
I'm only hearing about this as a tool for proving my worth. Your major marketing (as far as I'll likely ever be aware) has CAREER CAREER CAREER stamped all over it.
People won't follow the honor system if the stakes are at the 'career' level. You're losing the 'fun and free' culture of Microcorruption that makes people spend their free time building fun tools.
Your understanding of the incentives differ from the incentives that have been communicated to me about Starfighter.
Anonymous Throwaway Account? Yes, you over there. I'm looking RIGHT AT YOU. Yes you.
You're the new CEO.
Get to work. Explain this to everyone else on HN. The clock's ticking!
But I'll play along. I'll be taking Starfighter in a new direction. Most notably, we'll be reorganizing how we react to online discussion. Anonymous critics will be summarily executed unless we cannot identify them, in which case they shall merely be barred from Starfighter for life, which, if you believe our marketing department (AND AS CEO I DO IN FACT I'M SORRY I IMPLIED IT WAS POSSIBLE TO DOUBT THEIR CLAIMS), will make it very difficult for them to find work in the hiring utopia that is the post-Starfighter process.