Doctoral student among small percentage of players to finish online competition
Despite his research into establishing computer security measures, computer science doctoral student Ian Graves found himself on the other side of the server as one of the participants in an online competition to discover security hacks in a virtual version of “capture the flag.”
Graves was one of 978 players — out of a pool of more than 16,000 participants from around the world — to complete all eight levels of Stripe.com’s Capture the Flag 2.0 web competition.
“The point was to follow the guidelines and use the best practices,” Graves said about the game’s structure. “They’re not just asking you to use a certain practice to give you more work.”
Stripe is a California-based company that provides online payment processing services. Its Capture the Flag competition consists of eight levels. It requires players to exploit mock security flaws within each level in order to retrieve a password that enables the player to advance to the next level. With each level, the flaws become more complicated to find. The competition began at noon (PDT) Aug. 22 and was closed Aug. 29. The first player to finish all eight levels did so in 20 hours after the start time on Aug. 23.
Graves, who is advised by Associate Professor Bill Harrison and works in the MU Center for High Assurance Computing, said he had heard about the competition through the company, which he was familiar with. On a whim, he decided to “throw a weekend away” on the competition. He said he didn’t work continually on the game, and he finished after about four days, the last level taking him about a day to crack.
“A lot of the problems dealt with classes of problems, like a server that trusts too much,” Graves said. “Eventually, it gets convoluted and very acrobatic to get to the next level — you have to do all these tricks to get the website to cough up the password.”
While the game was for entertainment purposes for most of the users, Graves said he saw the value in this type of exercise. For him, it was a learning experience for the types of security risks programmers encounter, and it gave him practice on different programming languages. He said he thought the more familiar these security risks become, the more proactive developers wil be.
“People assume the more people learn how to pick locks, the more people will pick locks. But in this case, the more people know, the safer they can keep themselves,” he said. “Security exploits happen, but not everyday.”