Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

For Hackers, By a Hacker

It can sometimes be challenging to convince folks that Network Computing is serious about the motto, "For IT, By IT" (see banner, two inches to the right). It's not just a nice sounding phrase, but a major cornerstone of the philosophy of the magazine.
When I started covering the security beat, the most important challenge was learning the ins and outs of the magazine, working on my writing and other skills, not so much learning the technology. Security isn't just something I write about, it's what I do on a day-to-day basis.
When talking to companies about their security products they don't always get down to the technical details, but focus on high-level discussions about why their product is different or important. Hopefully they catch on when I explain that I really do want to hear about the details of the technology itself, but sometimes it's better to show than tell, right?

To that end, I participated in the Interactive Testing Challenge at RSA last week (ok, I admit, it wasn't just for that reason -- I did it for fun, too). Carefully not called a hacking contest (by the organizers anyway), it was a three day event meant to exercise web application exploitation skills.

First of all, hats off to Security Innovation for a great contest. It can be really hard to find the right difficulty level for a live-fire scenario like that, and the sample online bank built for the event was perfect.

The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed. The top two contestants from each of the first two days competed at the end of the day in a best of three challenge for a spot in the finals on the third. The first day ended with myself and a technical staff member from the Church of Jesus Christ of Latter-Day Saints--not exactly who you'd expect to end up competing at the end of the first day of the biggest security conference in the planet.

The semi-finals each day were nerve-wracking. Announcers with microphones described the attacks and potential defenses as the audience stood around watching the two contestants on overhead displays, helping to increase the tension. Having both participated and watched, it certainly was much easier to spot the right answer when you weren't under the gun.

  • 1