hack.lu review

I attended hack.lu from thursday evening to saturday afternoon.

It was an interesting conference: mainly because of the attendees rather than the speakers. However, Wietse Venema's talk on Software Engineering Security was very interesting though. He talked about a file wipe program which was badly broken although the code looked reasonably correct. He then demonstrated how a fix was proposed, and how that did not do much either. The main reason that it was broken was because of assumptions the authors (and fixers) made about what the operating system/hardware would do versus how it did things in reality.

Sandip Chaudhari talked about a way to exploit memory allocators by overwriting the memory management information and then abusing a following malloc call rather than a free call. It was a pity that he focussed his research on AIX and Solaris rather than more modern operating systems. I was happy to learn that our malloc (dnmalloc) was not vulnerable to this attack.

The capture the flag at hack.lu was canceled but hackerjoe made a hacking challenge which was pretty interesting. Thierry Decroix, Ilja Van Sprundel, Willem De Groef, Tom Van De Wiele, Pieter Danhieux and myself formed an ad-hoc team which we called "belgian fries" (since all of us are Belgian). We started Friday evening, but because the wireless network connectivity was so bad, we gave up after only one level. On saturday we decided to try again. A team called bisonours had made it to level 7 (final level) during the night but apparently it was not by solving the challenges but because some permissions were wong/they had rooted the machine. When redteam also reached level 7 (in the same way) and created a level 8, they started "fighting" (the game turned into a kind of hacker war rather than a challenge). Sadly they ruined the game for the rest of us who actually wanted to do all the real challenges (bisonours had set the database files immutable, modified permissions on files so the hacking challenge was broken, etc.). So we ended up rooting the machine as well and joined the "war". Which ended with us taking control of the machine and placing a large picture of some belgian fries at the top of the page (see screenshot). This was the end of the game as far as I know: we were the only ones left with real access to the system before hackerjoe decided to shut down the machine.

All in all hack.lu was better than expected, although you may be a bit disappointed if you mainly go to conferences for the talks.

[EDIT:
Pictures taken by Willem: http://www.cqrit.be/hacklu/pictures/

Here are some other viewpoints of hack.lu in general and the CTF at hack.lu:
RedTeam
Sid from rstack
Yom (in french) (his CTF screenshot shows our almost-final modification where we changed bisonours's final stage to be "only for girls" instead of "not for girls").
]