New Contest: RTFM ("Read to Further Mastery")

Posted
Modified
Comments 2

Announcing our very first “official” contest (meaning we have a legit prize): RTFM 1.

What is it?

You may be familiar with “Capture-the-Flag”, or CTF.

No, not this one:

Nor the video/computer game equivalents (though who doesn’t love a rousing round of bzFlag?).

We mean this kind.

“But wait,” I hear your hypothetical voice cry, “I don’t know how to do that!” (or, in the case of Johnny Xmas, a seasoned professional in InfoSec and a guest from S2E18, you may be saying “I don’t think that’d be fair to people less-experienced“, and rightfully so – and an honorable thing to support).

Well, I have good news and bad news.

The good news is that it doesn’t matter if you have any CTF experience at all! Because we aren’t actually doing an InfoSec CTF. (It’s closer to a “knowledge and documentation CTF”.)

The bad news? Probably none of you reading this have a natural advantage. (We want it to be fair, remember?)

We wanted to:

  • Keep the playing field “level”, meaning keep it fair to everyone no matter what level of experience…
  • While still keeping it competitive, meaning we only have one ticket to give away so we’re not just going to randomly pick a name out of a hat, because…
  • We want to make sure you all learn something from the experience.

And by “learn something”, we don’t mean some ideological lesson to be learned. We’re not Flannery O’Connor or something. We mean pragmatic/practical knowledge that can be applied to your professional/hobby life. It’s less about knowing how to attack a certain protocol, or being able to recite some fact, or doing something the fastest. It’s about teaching you how to fish, as the turn of phrase goes.

How? What are the rules? How do I enter? etc.

Entry

No experience, purchase, etc. necessary, of course. We don’t even require a signup. I mean, it’d be nice if you subscribed to our show and followed us on Twitter but it isn’t required for the contest. Simply send your answers (we’ll get to that in a minute) to email us via contests (at) sysadministrivia [dot] com, or our contact form, or send it to us via Keybase Chat, etc. Just make sure you use the same contact method, and the same contact handle each time. You’ll probably want to keep your answers private, too; if you prefer e.g. Twitter, make sure you DM us (DMs are open) instead of just @-ing us.

How do I play?

We will post a question, or clue, with (what we hope is) a very specific answer or series of answers. This knowledge will be esoteric, but it will be accessible via public documentation, etc. on the Internet. Your task will be to hunt down the necessary documentation, and provide an answer based on that documentation. It’s okay if you copy-paste the relevant part of the text, just make sure you cite it in the way compatible with the challenge/question’s requirements. (This will make more sense as we post the challenges.)

What types of documentation?

Typically, things like RFCs (“Request for Comments” or, as I like to call them, “Read For Comprehension/Competence”), API documentation, etc.

Note that we are specifically going to be phrasing things ambiguously/obscurely a bit, so a ctrl-F/find-in-page won’t work. You’re going to actually have to grok it a little.

When will the challenges be posted? How many will there be?

There will be three challenges posted, and they will remain active until the end of the contest (see rules).

CHALLENGE #1 was posted here, in this post.
CHALLENGE #2 was posted on November 17, 2017 at 1700UTC/1200EST.
CHALLENGE #3 was posted on November 27, 2017 at 1700UTC/1200EST.

Why do it this way?

It’s important to “grok, not grep” – meaning it’s much better to know how or why something works a certain way than just copy-pasting from a StackOverflow answer or the like without understanding what that does. This contest is less about the prize, and moreso about learning – more specifically, learning how to learn – because this is the most important ability you’ll teach yourself in the technological world.

Rules

The official rules are as follows:

  1. Sysadministrivia hosts are judges
    1. All Sysadministrivia staff (including editorial staff, designers, etc.) are excluded from entry/disqualified. It’s okay if you know one of us, though. (We’ve made a solemn pact to not give out any answers, so don’t bother asking/bribing/etc.)
    2. Brent/r00t^2 retains executive powers in choosing a winner (for example, in the case of a tie, no clear winner is found, etc.)
    3. The validity/correctness of a response to a challenge is determined by the judges.
  2. The contest will begin at the time of this message being publicly posted and will remain open until December 5, 2017 0000UTC. The winner will be announced live on S2E22, season 2’s “Shitshow” (which is open attendance), along with a post here on the site.
    1. If the winner does not check-in to provide further contact info to claim their prize within 72 hours of announcement, a new winner will be picked and announced via this site.
    2. The winner must contact us directly within 72 hours of us announcing their win.
    3. Delivery of prize will be negotiated via direct and private contact with winner.
    4. The winner will be considered the first individual that has submitted all/the most “correct” (as deemed by judges) responses to all three challenges.
  3. All terms are subject to change at the decision of Sysadministrivia.

What prize is up for grabs?

How does a shiny first-round ticket to HOPE XII grab ya? You’ll have a chance to meet thousands of other technology enthusiasts (security professionals, IT professionals, “bio-hackers”, and the like), learn how to pick locks, and attend a variety of talks (there’s bound to be at LEAST three that interest you). Plus, and I don’t know if it’s a selling point, but you’ll be able to meet the hosts of Sysadministrivia in-person as well!

Tips, Tricks, and Help

We want to make sure you learn how to find and understand documentation for this contest. That’s the most important part for us. While we won’t give you the answer (or even the specific place to find it), we will help you with learning how to find and understand documentation if you feel lost.

You can contact us for help. We recommend our IRC channel; it’s the fastest way. However, if you’re an autodidact, here’s some things to get you started:

  • Google-Fu is indispensable. It’s become an immensely powerful tool when searching for documentation, and one that wasn’t available much in the past.
  • It’s also important to know how to read RFCs
    • If you prefer locally browsing documentation, there are tools (such as one I wrote and the official IETF tool) that will help you with viewing RFCs.
  • You may need to read the actual source code in some cases for a challenge or two. Don’t fret! Pay attention to contextual clues surrounding the information. What does that particular file of source do, how does it seem to play into the larger project/compiled program? What are the function names? What information is available inside those functions?

THE FIRST CHALLENGE

There is a VPN protocol/implementation that has been standardized in the enterprise world. It is used by Cisco AnyConnect. In the most recent/up-to-date RFC for this protocol’s key exchange method’s specification, not its roadmap:

  • What is this VPN protocol/implementation?
  • What algorithms (all functions – hashing, encryption, etc.) are required to be supported by an implementation?
  • What algorithms (all functions – hashing, encryption, etc.) are optionally supported, and recommended for an implementation?

To be considered a valid answer, you must provide the correct answer for all three questions and the RFC number and section in which you found the information for the second and third questions.

(For a bonus, which does not actually grant any real benefit to your score but will make us happy, which of those recommended algorithms would you advise AGAINST using today and why?)

Author
Categories

Comments

  1. This is an awesome contest!

  2. @shaf – thanks! hopefully it’ll be one of many!

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.