Category Archives: hackers

Usable Crypto Capture the Flag Challenge

Last week, during USENIX’s first Enigma conference, EFF hosted a small Capture the Flag hacking competition. I designed one of the challenges myself, entitled Usable Crypto. It requires you to use PGP as an attacker rather than a defender. It’s on the easy side, as far as CTF challenges go, and I think many people who have absolutely no hacking skills but some fumbling-around-with-PGP skills could beat it without too much trouble. And it might even demonstrate why verifying fingerprints really is rather important.

If you’d like to give it a go, it’s live at https://usable-crypto.ctf.micahflee.com/. The plot for Enigma’s CTF was loosely based off of Cory Doctorow’s novel Little Brother. You’re an X-NET hacker fighting the surveillance state’s Department of National Security. You win when you capture the flag, which is a string of text that starts with “FLAG_” (but please don’t post it in the comments).

It’s 2013. We’re all being spied on. Why do security software websites not use HTTPS?

Update: This post made the frontpage of reddit and many of the comments are wrong. I took a moment to clear a couple things up at the bottom of the post.

We desperately need to work towards deprecating HTTP and replacing it only with HTTPS. The web is a huge part of what billions of people use the Internet for, and still most of it is not encrypted. Since the Snowden leaks started getting published we’ve learned that NSA and GCHQ spy on as close to the entire Internet as they can get.

It would be naive to think that the US and UK are the only governments doing this too. The network isn’t safe, and the only way to make it safe is to encrypt all the things. Websites that still use HTTP are putting users in danger. Here are a couple of examples.

Continue reading

Swatting is Not the Same as Doxing

Update: KTVU has taken down the story.

Recently I was interviewed about “doxing” by KTVU, a Bay Area news station based in Oakland. Doxing is when someone publishes documents (“dox”) about someone to the internet. It’s usually full of mundane info that can be found in a phone book and with a google search, but sometimes it also contains more sensitive information like the contents of personal emails, lists of passwords, etc.

I found out that the segment aired on TV last night when someone tweeted me asking if I really thought that “swatting” was protected by free speech laws. Swatting, I learned for the first time last night, is when someone dials 911 and reports something like a hostage situation or a terrorist bomb plot at someone else’s address in order to get a SWAT team to bust down their door.

Continue reading