The Ethical Hacker Network (EH-Net) is more than a free online magazine for security professionals as it also acts almost like an educational portal for newbies interested in security. Every year like a Christmas tradition, EH-Net features a holiday hacking challenge written by security attack and defense guru Ed Skoudis. The 2010 skills challenge is The Nightmare Before Charlie Brown's Christmas.
Donald Donzal, the man behind The Ethical Hacker Network, said one of the great methods to learn and get involved with the security field is EH-Net's "Skillz H@ack1ng Challenges hosted by Ed Skoudis of SANS and InGuardians. Basically, they are written stories from popular culture that we twist into a hacking scenario with questions for which the contestants have to submit their best answers. It's a fun way of learning practical methods and win signed copies of Ed's book, Counter Hack Reloaded."
Interview with Ed Skoudis
How many years has Ethical Hacker Network hosted holiday hacking challenges created by Ed Skoudis?
Skoudis: I've been writing hacking challenges since 2002, with my first Christmas-themed one being "How the Grinch Hacked Christmas," written all in rhyme and reflecting the big worm attacks so prominent in those days. I followed it up with "Rudolph's Cross-Site Christmas" in 2003. Then, in 2004 and 2005, I stopped writing challenges, as I got involved in a lot of other projects.
In early 2006, Don Donzal reached out to me, asking me to rekindle the challenges for EH-Net (prior to that, they were posted at places all over the Internet, without a single source). I wrote "The Empire Hacks Back" that year just to get back in the challenge vibe and work out the relationship with Don and the EH-Net community, with a bot-net controlled by Darth Vader controlling the Millennium Falcon's malfunctions. It was very well received, and working with Don was a joy. So, we returned to our Christmas themes with A Christmas (Hacking) Story (based on that old movie with the Messy Marvin kid, who, in our scenario has to hack into his father's furnace so he can see if he's getting a laptop computer for Christmas). In subsequent years, I wrote:
- "Frosty the Snow Crash," featuring some Windows command-line and Netcat UDP Christmas magic
- "Santa Claus is Hacking to Town," which lets you help Santa hack out of the Bergermeister's prison, using pass-the-hash attacks and pivots
- "Miracle on Thirty-Hack Street" (written with Kevin Johnson), where you get to help keep Santa out of the insane asylum by using the Facebook API to recover his crypto key
And, then, this year's challenge, "The Nightmare Before Charlie Brown's Christmas" (written with Yori Kvitchko), a Christmas mash-up involving a Voice over IP attack readers get to analyze.
What inspired you to write the first holiday hacking challenge?
Skoudis: Back in 2002, I was asked by the folks at TechTarget to write hacking challenges on a monthly basis as a series of recurring articles. I wanted to write a challenge based on a recent case I was working on as an incident handler. In that case, the bad guys were hacking into a target Linux machine, but made it look like they were hacking into a Windows box as a head fake. I had recently seen the movie "Shell Game" with Nicholas Cage and John Travolta, and it occurred to me that the case and the movie were related. So, I dressed up the case in the context of the movie. People seemed to like it, so I kept going. Later that year, I decided that I should move toward more mainstream, fun, geeky movies, so I wrote additional ones based on Star Wars, the Wizard of Oz, The Princess Bride, and Spider-Man. When Christmas came around, it seemed natural to do one based on one of those Christmas movies I love so much... and How the Grinch Hacked Christmas was born. So, this kind of grew organically, from a few ideas that were refined into our annual challenge. I think the best traditions always grow that way.
How long does it take to conceive these challenges? How long to write it up?
Skoudis: I start thinking hard about the challenge on November 1. I spend about an hour a day for a week or so conceiving of the challenge and the overall technical hooks. Then, the writing of the technical component takes a week, and the narrative writing takes another two days. So, in the end, you are looking at about 60 to 100 hours of work in each challenge. I do these as a labor of love. They are fun, and many people tell me that they've helped them learn and advance in their careers, which makes it all worthwhile. I do not receive payment for the challenges.
What challenge had the best answers ever submitted?
Skoudis: Oh, there are so many good ones. Some of them are very clever technically, and others are hilariously funny. It's hard to choose my absolute favorites, because there have been so many good ones.
What challenge seemed to especially stump people?
Skoudis: We really haven't had a challenge that stumps people outright. You see, we write every one of them so that everyone who reads it says, "I think I can answer this." We want every one of the challenges to _look_ simple and straightforward, easily answerable within an hour. But, we write each one so that people learn while they are doing it, with some of the nooks and crannies of the tools and techniques coming to the forefront. So, while everyone thinks they can answer it within an hour, those who really know their stuff might go far far deeper.
Thank you Don and Ed. If you like security, or hacking, why don't you make The Ethical Hacker Network holiday hacking challenge a tradition? How fast can you answer The Nightmare Before Charlie Brown's Christmas?