Hacker News new | ask | show | jobs
by nickpsecurity 3696 days ago
Depends on what the desired outcome it. I read the challenge as compromising one of the pieces of software on the website. Doing that with social engineering was the desired outcome.

The attacker thought out of the box to tackle a lesser challenge: getting a string on the website itself. It was technically true under rules, funny, and contest issuer even owned up to it. It's not the real challenge, though. No real-world impact. So, just amusing trolling.
1 comments
exolymph 3695 days ago
Websites are made of software.
link
nickpsecurity 3695 days ago
Lol. I'm not repeating myself twice if you're not seeing the point.
link
ademarre 3695 days ago
You're failing to see the charm here. Social engineering is a confidence trick that exploits gaps in someone's personal trust system.

Surely you are right that when he presented the challenge he had something different in mind. But that's exactly the point! The winner realized that the website itself might be a gap in the challenger's trust system; a place where he would have his guard down.

Eschewing the implied parameters of a problem and cheating expectations are what vulnerability detection is all about.

link
nickpsecurity 3695 days ago
I not only see that: I specifically explained the expectation and how it was reframed into a new target above.

https://news.ycombinator.com/item?id=11693426

Your failing to see my actual concern here. I'm one of those old-school types that rate people on impact their work has first and how clever/funny it is second. The first, expected challenge had consequences with impact. Tackling that with effort even close to success would be praiseworthy & even contribute something new to INFOSEC.

The other thing is the kind of shit I do to coworkers and people online all day for fun. One I hadn't thought of and clever for sure but same concept. It's a combo of wit and sophistry that focuses on technicalities of people's statements who aren't thinking carefully about them. Outside policy and procedures, outthinking a statement has no impact at all.

So, as I think along both lines, I recognize it as clever trolling in the second category like I do 20 times a day. Similarly pointless. Just fun and funny. Then, acknowledge that the real target or challenge would've been more valuable. Implicitly encouraging people to go for that one in case we learn something important. You know, relevant to information security. Plus, I give highest props to people that pull off difficult or nigh-impossible feats.

link