IronHacker Vancouver 2012 Review

Introduction

Last December I participated in the first Vancouver Iron Hacker. It was my second hackathon, and also was the first event I went to that had online programming challenges that you had to successfully complete just to register.

Interview opportunity

It turns out that hackathons are a great way of informally interviewing potential new hires. At the time I was the lead on PlayRank Basketball (iOS second-screen social sports app), and had one contract engineer helping me out. We needed another one, so Adrian and I thought participating in a hackathon would be a good way of getting a sense of the technical and collaboration skills a person has. I met Aaron in person for the first time (all the work on PlayRank was done remotely) at the event, and we worked together for our entry. The hackathon served as the perfect interview – we both had fun, and I could see first hand that he was a great candidate. This was proved in the months following the event, when we successfully shipped PlayRank together. (It also turned out we had lots in common, and collaborated well)

Early attempts

Once we were told the theme for the challenge, which was “password authentication sucks”, we started brainstorming. Various ideas were bounced around, from voice, image, or video recognition, to “1password” master key type solutions. We also quickly tried to prove out some physical prototypes for a capacitive ‘id card’, like some newer CCGs (collectible card games) are doing with capacitive ink. You can place the card on a modern smartphone or tablet, and the touchpoints are detected, and recognized as a unique card. We thought we could apply that to a passcard system – however our physical prototypes just didn’t work. We tried using business cards with tin foil we found in the kitchen, with staples, in all sorts of configurations to no avail. We had to keep things moving for the sake of time so we moved on to some of our other ideas.IMG_1066

Since we both had a background in game development, we also brainstormed some ideas about implementing a mini game that your unique solution would act as your ‘master password’, and it would unlock a vault of logins that would be stored behind it. We even thought about making some sort of ‘boss battle’ that would act as the challenge. However, due to the limited time we thought that a game would be out of scope so we moved on to other ideas.

We eventually arrived at the idea of doing some sort of QR Code + password hashing solution for storing and generating a password.

Side challenge

There were a few side challenges during the day, and I managed to win one of them. The challenge was to find a hidden message running on a hidden webserver on the main event website, and whoever tweeted the message first, won. So I fired up nmap and a few seconds later found all the hosted services on the machine, including the hidden webserver. It was hosting a single html file which contained the message. Then I tweeted it.

Final

Our final project used an open-source javascript QR code detection library, HTML5’s webcam tag, and Oplop, all wrapped in a Chrome extension that gave you the option to using a QR code + your facebook login to generate a strong password, and automatically enter and submit it to Facebook (logging you in). It could easily be adapted to any website as well. We demonstrated successfully to the other participants, but alas did not place in the finals. You can find all the code and files hosted here.

Thoughts on Iron Hacker

Going into Iron Hacker I was under the assumption that we would be finding or plugging security holes in software, or working on low level, challenging computing problems. Instead it turned out to be a pretty web developer (read: javascript, php, ruby, etc) centric event. In part I think this was not entirely the fault of the event itself, but also the crowd. For example, the winning projects were determined only by votes from the participants. (Funny how the winning teams were also large in team size) But I definitely got the impression that everyone else who was there was a back or front end web developer in their day job.

So I came in expecting cross site scripting exploit finding and fixing, or buffer overrun opportunities, but instead it was ‘build a web app as fast as you can’. I wasn’t quite prepared for that challenge, but in the end it was still a fun day, and well worth participating as a team building exercise with Aaron.

Upcoming event

The second-ever Iron Hacker in Vancouver taking place on May 11th, 2013. I am unable to go for scheduling reasons, but I encourage anyone who is even slightly interested to go for it! It will be fun, you will meet like-minded people, and those two things go great together.

NOTE: I’m not sure why, but the main website has no link to the event registration, and it lists May 4th as the date. It has been moved to the 11th and maybe the registration hasn’t gone live to the public yet.

Posted in news Tagged with: ,