“I know what it sounds like,” said CS senior Morgan Jones, “but ‘Hack the Vote’ is just the title and theme of an electronic security competition this weekend. It combines Jeopardy-style challenges in an online Capture the Flag (CTF) tournament.”
The “flags” in CTF security games are tiny bits of code hidden in various challenges. When a team successfully solves a challenge, they discover the flag and collect the points for that assignment. Unlike Jeopardy, the points for an assignment can be captured multiple times, by any team that solves the challenge.
“No, we are not hacking real electronic voting systems,” said Jones. “The title ‘Hack the Vote’ just means the challenges will have an election theme.” He speculates that one challenge might display candidate images to the teams using ASCII symbols; another could be to pick apart a fake online voting machine set up by the game hosts for the competition. “It would be really funny if you had to exploit something written in TrumpScript*,” he said.
Jones chose Rice for its strong Computer Science program but did not expect to find security so fascinating. He and his friends had built apps and servers as side projects for fun in high school, then he was assigned to an unusual residential suite at Rice’s Baker College. “It was four freshmen and four seniors,” he said, “and of the four seniors, three were in CS. One of them, Damien Stone, was really into cybersecurity.”
He had only been at Rice a few months when Stone organized a team for a security-based Capture the Flag tournament. When most of his team members dropped out at the last minute, Stone reached out to Jones. “It sounded really interesting,” said Jones. “I’d been listening to him talk about the world of security for a while, so I joined in.”
The tournament was completely online. Jones, Stone, and a graduate student from CS professor Dan Wallach’s research group met on a Friday night and worked on the challenges for 36 hours. Jones said, “I felt like I was contributing, like I was doing well, and I was also learning a lot. That got me hooked.”
He said teams enter the CTF security game environment through a website. “When you login, you see a Jeopardy-style board with questions you get points for solving,” said Jones. “There will be categories like reverse-engineering, cryptography, exploitation and forensics.”
Forensics challenges often provide a set of files that teams explore to find hidden messages. Exploitation challenges usually prompt teams attempt to find vulnerabilities built into a service on a server hosted by the CTF organizers. “When you find the vulnerability, the flag is revealed,” said Jones, who appreciates the creative thinking prompted by the challenges.
“The creativity is in the way you solve it,” he said. “There is at least one problem that’s present and that you have to solve, but there could be multiple ways to solve the problem.”
“I’m really glad to see our students self-organizing and going after competitions like this. These contents simulate many real-world security challenges, and many of the strongest researchers in security got their start playing CTF,” said Dan Wallach, professor of computer science and manager of Rice’s Computer Security Lab. Wallach’s research has been quoted frequently this election year and he testified during the U.S. Congress Space, Science, & Technology Committee on Voting Security’s hearing, “Protecting the 2016 Elections from Cyber and Voting Machine Attacks,” in September.
To participate in this weekend’s Hack the Vote tournament, contact Jones (mjones @ rice).
*TrumpScript is an application built during HackRice in January 2016 by Jones’ classmates Sam Shadwell, Chris Brown, and Cannon Lewis, along with Dan Korn of UNC-Chapel Hill.