Hacking Games

Last Friday, we had our second Hacking Game at eTF1. You should play, too.

Hacking GamesWhat' a Hacking Game? In short, it's like a fire drill for hackers. In a fire drill, you hear a siren, and everybody has to stop whatever they're doing and leave the building. In a hacking game, one guy starts screaming in the middle of the afternoon "We're being hacked! Help us!", and everybody in the IT department has to stop whatever they're doing and prevent the hack. It's the same thing. Except for hackers.

Not everybody is a hacker in my IT department. That's why I initiated the first hacking game.

The first game

That was last year, about the same time of the year, one Friday afternoon. I ran into the developers space, screaming and panicked, asking for everybody's help. Acting is not my best quality, but these people were part of my team, so they kindly listened to me, with a knowing smile.

It turns out the French National Lottery (called "Francaise des Jeux") was unable to give the names of the winners of the draw that had just been aired on TV. The National Lottery was one of our customers, so they had asked me to help them find the name of the winner. All the grids that had been registered for that draw were stored into and encrypted file, and I had this file in a USB stick. I also had the description of the file format, written by a mentally disordered project manager.  We had one hour to find the name of the winner in the encrypted data, until the results of the draw had to be announced on TV. Please everyone, we must all work together on this.

Why do we play?

I saw a lot of interesting things. Some people would dive into the encrypted file, some would try to understand the bad written specification (with text written in white on a white background, would you believe it?). Some would organize the work of small teams, some others would bootstrap a script for brute force cracking, and some would naturally pass the information from one group to another.

Also, a few people would stay behind and look, others would fight with the computer and get nothing out of it. Some would be lost and never ask for help, some would look for a red herring, and some would be going out and have a cigarette.

All that in a single hour. The 40 participants overall had a great time. But most of it, the lessons the management team had learnt from the observation of the game gave us enough work for the next 6 months.

During that time, we focused on building a better team spirit, increasing the skill of the coders who were not fast enough, building an easier development environment for a quick startup, forming small teams for better efficiency, encouraging the leadership of the ones who had taken it spontaneously, finding tools for better communication, etc. We did our best to push everyone to the second lever of hacking. Did we succeed? We had to test it during a second hacking game to check it.

The second game

So we did it again, last Friday. Except this time, the game was organized by a small group of project managers, and very few people knew when and how the game would come. This time, an email was received from a guy who said he used to work with us. He wrote that he was so mad at us he was going to deface our main website. 13 Million visitors were at stake, the countdown was already started. Please everyone, we must all work together on this.

Boy, do we have a team of hackers now. The first clues were found very quickly using social engineering. A Facebook account, a list of friends, leading to a Twitter account, where two very strange tweets looked like a coded message. Small groups formed within minutes, with less keyboards than heads. An issue was opened on our ticketing system with everyone in the room registered as a follower to get updates. Each individual worked for the whole group, not in a competitive mind. Those who were lost were naturally taken care of, and attached to a group.

People started brainstorming, looking not only for ways to decode the message, but also to prevent the defacing. A system administrator took the initiative to lock our CMS backend down, to prevent any modification of a content by a hacker using a backdoor. Uh-oh, the was not planned at all - we got calls from real customers who couldn't update the contents of their sites anymore. But if the attack was real, this would have been a very good reflex, so we kept the CMS locked for the rest of the game.  

I don't get it. Is this a game?

After about one hour, the scheduled "bomb" content was found and destroyed by two smart developers. To be honest, it was the result of 59 minutes of a great team work. People were so focused on the objective that nobody took time to explain to the newbies that this was a game. Some of them were very anxious about being under attack again soon. The 50 participants overall had a great time. 

But most of it, by just observing the game, we saw hundreds of little things that needed improvement. That gives us enough work for the next six months, at least. But you can be sure that we'll soon be reaching the third level of hacking.

Published on 14 Dec 2011 with tags development management

comments powered by Disqus