Big Ruby 2014

Cómo desarrollamos el concurso "DEF CON Capture the Flag" con Ruby

Vito Genovese  · 




Extracto de la transcripción automática del vídeo realizada por YouTube.

thanks everybody good afternoon I'm Vito Genovese what I'm talking about DEFCON CTF a lot of you will know me from other scenarios with different names my twitter name is vito lbs and my email is vito age it BS or legitimate business syndicate no so

I'm going to talk about what DEFCON and what capture the flag are how we built our team how he ran the qualification or qualls round and then how we ran the finals So Def Con is one of the oldest continuous running hacker conferences and also one of the

largest it's I think about 20,000 people last year it's pretty cheap there's another one black hat earlier in the week same founder it's University your boss pays for you to go because it's like two grand and def con is the frat party you

stay the weekend for on your own dime this is the entrance hallway where everybody funnels through here when it's time to buy badges people line up like a day ahead of time because they sell 20,000 badges all for cash this is a tamper-resistant contest

somebody is delaminating a physical bitcoin to steal the public key or the private key out of the middle of it then they're going to laminate it back together and long story short don't buy physical bitcoins for cash capture the flag is the standard

computer security game if you've seen the documentary or not documentary about the social network there's four guys you know trying to break into a server to win an internship at super early Facebook you have jeopardy style capture the flag where there's

a big grid or big list of problems you pick one you get a clue you solve it you get an answer and you turn that answer in four points on the other side we have an attack defense capture the flag where each team has servers and you hack services on the servers

steal secrets every round submit them for points and at the same time you have to patch your services keep them available so you don't lose points for SLA and don't lose flags so how do you compete and capture the flag you build a team you get super

amazing good and assembly like so good that when you're presented with a dot C file you compile it and then run it through Ida Pro and get an ugly flowchart out of it you get really good at web attacks like sequel injection maybe cross-site scripting session

fixation and get good at crypto to you compete in the game you solve problems the first time you probably won't do very well but you take all the problems that you didn't solve right up solutions for them and next time you'll do better this is

a website CTF time org they have a list of all the capture the flag competitions and it's a wonderful resource there's another few dozen between now and when we host qualifications again in May these are two sample challenges from last year's game

hype man and worse medicine these are web challenges I think they're both in Sinatra the best team solve these in under 30 minutes each good luck and you've been working all weekend on the CTF challenges most gate or a lot of games are 48 hours and

you get weird this is a dunkin donuts box of joe which is actually just a foil bag of joe inside a box it's been at room temperature for about 10 hours and so how do you build a DEFCON CTF team at the end of 2012 my friend gaiaphage is saying Oh dark tangent

the CTA or the DEFCON founder is looking for a new team to run capture the flag want to help us write a proposal so there are about eight of us involved with this proposal a few software vulnerability experts a couple good Hardware guys a fantastic network

engineer like this guy can type routing rules and two routers and stuff faster than I can match my fingers on the keyboard and type literal garbage I'm a web app generalist I've done rails for a long time I you know do a lot of no sequel stuff I really

really love sequel I can make websites go on Heroku first Heroku plug I have not been paid so we get a bunch of opinionated smart people who absolutely need to work together on a software project hardware project with dozens of moving parts on stage in public

and we don't have any controls of the deadlines this is a recipe for disaster what we did find worked was you know everybody just does what they can if you need help ask for it if you aren't sure if something is going to work if you aren't sure

[ ... ]

Nota: se han omitido las otras 2.065 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.