(This is a guest post by Adam Zabrocki, a consultant at Cigital.)
The UK intelligence agency, GCHQ, (roughly analogous to the US’s NSA) posted an online challenge recently at [canyoucrackit.co.uk] (read more). Given essentially no information other than what are pretty obviously hex digits, candidates are invited to attempt to “crack” an opaque puzzle. It isn’t even clear what the puzzle is (is it an encrypted document? is it a program? Is it a virus?).
Ostensibly the puzzle will help GCHQ identify very clever candidates to come work at the agency, fighting the good fight in cyberwarfare. Other high-profile companies have tried similar strategies in the past (like Google and Microsoft) to find highly qualified candidates.
The puzzle requires unraveling x86 instructions, finding a few bits of essential data hidden steganographically in the image itself, and putting it all together into a program that reveals a final URL to visit. The skills required to do this are similar to those required for reverse engineering unknown malware and trying to figure out what it does–especially when only part of it is present. It’s part systematic sleuthing, part guesswork, and part forensics.
As the UK, the US, and many other wealthy nations attempt to build their defences against cybercrime (and cyberwar), they are trying to identify good guys who have what it takes to understand what the bad guys do. It’s great fun to solve a problem like this, and it’s great fun to imagine doing that for a living to serve your country. But when you discover that the government’s salary is a fraction of the salary of being a private-sector good guy (not to mention what the bad guys might make), it’s no wonder they are struggling to find recruits.
The details of how I solved it are on my personal blog.