The story of the "Uncrackable" Lockbox, and Why Hackers Need to Work Alongside Developers

About Matthew

Matthew is a Sustaining Engineer at Canonical by day, and spends most of his time knee deep solving complex Linux kernel gremlins. His hobbies involve reverse engineering interesting software, blogging about tech stuff and making his high security Linux distro, Dapper Linux.

Talk Overview

I was scrolling reddit, and a post came up from a developer with their own homemade encryption program. They issued a challenge: break open the time sensitive uncrackable Lockbox, and you will receive 0.02 BTC.

Just in it for the entertainment of seeing how bad their encryption was going to be, I had the Lockbox open two hours later. I wrote up a blog post detailing how I managed to break in, and thus started a series of new challenges, each more complicated than the last, as I worked with the developer to strengthen their program.

All challenges had the same thing in common: The developer kept making fundamental mistakes when it came to security, and I defeated five of his challenges with simple attacks straight from the security 101 textbook.

In this talk, we will reverse engineer five versions of the TimeLock program, review the disassembly of simple vulnerabilities and use our debugger to exploit the program into revealing its secrets.