Bio

A large part of computer security education is tied up in security games and challenges like CTFs and wargames. They are great at teaching topics in security in a fun and engaging way, but it can be difficult to make the jump to looking at real software, for both technical and motivational reasons. I want to present a strategy to make that switch: to look for security vulnerabilities in real, but smaller and less popular, software used in one's personal interests. I really like doing crossword puzzles, so the bulk of the talk will be about 3 mini ctf-like challenges looking at popular software used in the crossword puzzle world. I want to introduce the "challenges" in my self-directed "real world ctf", the "flags" I find, and how I used my experience doing ctf to solve them. The 3 "challenges" are reversing and cracking a java crossword puzzle creation app, a php object injection in a popular crossword forum site, and a memory corruption bug in a crossword puzzle solver desktop application. I hope to close it out with an encouragement to seek out strange bespoke software used in one's own interests (music creation, gaming, etc.), see how it works, and see if it can be broken.