The story of the "Uncrackable" Lockbox, and Why Hackers Need to Work Alongside Developers

Presented at Kawaiicon (2019), Oct. 18, 2019, 11:45 a.m. (15 minutes).

I was scrolling reddit, and a post came up from a developer with their own homemade encryption program. They issued a challenge: break open the time sensitive uncrackable Lockbox, and you will receive 0.02 BTC.

Just in it for the entertainment of seeing how bad their encryption was going to be, I had the Lockbox open two hours later. I wrote up a blog post detailing how I managed to break in, and thus started a series of new challenges, each more complicated than the last, as I worked with the developer to strengthen their program.

All challenges had the same thing in common: The developer kept making fundamental mistakes when it came to security, and I defeated five of his challenges with simple attacks straight from the security 101 textbook.

In this talk, we will reverse engineer five versions of the TimeLock program, review the disassembly of simple vulnerabilities and use our debugger to exploit the program into revealing its secrets.

Presenters:

• Matthew Ruffell
  Matthew is a Sustaining Engineer at Canonical by day, and spends most of his time knee deep solving complex Linux kernel gremlins. His hobbies involve reverse engineering interesting software, blogging about tech stuff and making his high security Linux distro, Dapper Linux.

Links:

• https://2019.kiwicon.org/talks/uncrackable-lockbox.html

Similar Presentations:

• Still Hacking Anyway (SHA2017) / The World in 24 Hours Revisited: How to re-enact a 1982 network art performance
• AppSec USA 2012 / Hack your way to a degree: a new direction in teaching application security at universities
• HOPE 2020 Virtual Rescheduled / DHS BioWatch: A Failure of Oversight and Accountability