Shortlog - a log of everyday things

Home

2012-03-01

The morning started out depressing - cold and rainy. It got better as the day progressed, though, and by late afternoon was warm enough for short sleeves.

I took the BART to SF for the Stripe CTF meetup. Upon arrival, the outside door was locked, as was the stairwell and the elevator. I and the other four or so people who had arrived at this point joked that this was level07 of the six-level challenge - social engineering our way up to the office. Eventually, someone exited the building through the stairwell, so I caught the door, ran up and notified the Stripe folk that we should probably prop the door open if they want any of the attendees to actually make it upstairs.

The talk was good - Andy explained how they set up and secured the systems (chroot jails, limit mounts, mount -o bind,ro), and showed some snazzy graphs of how many people were logged in simultaneously over the duration of the contest. Turns out they were expecting on the order of a couple hundred participants. They got 10000 unique IPs logging in for level01. Oops. In addition, doing proper limits on anonymous accesses is nontrivial.

I was one of ~250 people who completed all six levels of the CTF. That's pretty close to what I had expected. Of the eighty or so people present at the meetup (rough number), I saw seven hands go up when they asked who got the-flag's password.

Greg and Sidd walked through each of the levels, how they were vulnerable, and demonstrated an exploit for each. Apparently some people did a statistical timing attack to defeat level06. Since the timings would be noisy with everyone else running lots of things on the machine, these folks waited until 3AM to run timing attacks for a few hours. Their persistence impresses me.

After the formal talk and Q/A ended, the pizza arrived (perfect timing!). I wound up chatting with Leah Culver and John Collison for a good while about all sorts of things - long-polling, session management, the craziness that is chat protocols, and the impermanence of the Web and the right to disappear. I shared a bit about my group's research on the current state of permissions and privacy on mobile platforms and the recent iPhone and Android permission fiascos. We also talked a bit about password management solutions and OAuth - it turns out Leah co-authored the OAuth spec, but now thinks that individual username/password setups are actually better for users in most scenarios.

I met a guy named Dan who was wearing several CCC wristbands, and we talked about the CCC, data privacy and retention policies, differences in American and European culture, and a good bit about Noisebridge. Apparently Noisebridge runs a high-bandwidth Tor exit node. Snazzy.

As the crowds started to clear out, I headed over to the beanbag area, where I talked about Bitcoin and virtualization and reliable highly available distributed systems with Greg Brockman and Evan Broder (both of whom I knew from MIT!). We had a great time going on about high-availability datastores and Paxos and the need for a distributed lock manager. I very nearly commenced a group reading of the Amazon Dynamo paper, since Greg had never gotten around to reading it, and it's one of the finest distributed systems papers around. In the end, I opted not to, because he also needs to read the Chord paper to fully appreciate the Dynamo one, and I didn't feel like reading that one too. Broder reported that the AFS servers at MIT are no longer restarted at 3AM on Sundays. Guess the memory leaks have been fixed!

It was loads of fun meeting up with faces old and new, and as I explained that I'd be joining AeroFS in May, a bunch of people thought it sounded really neat. A couple had feature suggestions. A couple others thought their companies might like that product. Exciting times!

More and more people left, and eventually it was 23:20 and I decided I should probably head back to the East Bay. As we parted, Broder joked "Well, if nothing else, I'll see you again in January!" (We both solve puzzles at the MIT Mystery Hunt in January each year with the team Death From Above.) I laughed. Hopefully we'll meet up again before then.

A random girl on the BART heading back to Berkeley told me she liked my hair. I felt pretty.