This has historically been a pretty fun challenge to do. Earlier levels are quite easy, but later levels can be quite challenging and require specialized skills (e.g. reverse engineering, binary exploitation, cryptography). There’s a decent focus on “realism” which makes the challenge series more interesting than a typical CTF. If you’re eligible to participate I’d highly recommend checking it out.
P.S. if you do well, the NSA sends you swag; I have a couple of very nice signed letters and NSA medals that look great in my office :)
After reading "Permanent Record" by Edward Snowden and "Cult of the Dead Cow" by Joseph Menn, I can't help but feel like the NSA is basically "the bad guys", and I assumed most hackers would feel the same. Are people really excited to do challenges like these for them?
I don't mean that in an accusatory way, just genuinely curious as my perspectives (one from a whistleblower and one from 80s hacker culture) are obviously not the same as those of a modern day hacker.
I'd recommend reading James Bamford for a more positive look at NSA and their charter...which is essentially math, math, and more math, and unrelated to politics within NSA anyway.
The Snowden stuff is extraordinarily excerpted to that which a contractor (Snowden) was seeing in a post 9/11 strange fiasco which did bring politics into play. Bamford predates that mess.
NSA is an enormous organization with many chartered activities, some small amount of which involve math, some of which is defensive and benign, some of which is offensive but understandable in the same sense our maintenance of a fleet of nuclear-powered aircraft carriers, and some of which is probably hard for anybody to get comfortable with (much of which should be halted). A lot of what NSA does is ultra-boring, and some of that should be halted too. Like every major federal government bureaucracy, NSA's most important charter is to secure more budget for NSA (which I maintain is actually an important fact to keep in mind when designing technical security countermeasures).
My point being: be wary of any attempt to characterize NSA in just a sentence or two.
Some of this puts me in mind of people's mental model of NIST as a hive of USG cryptologic activity when it is in reality like 3 very overworked cryptographers and a bunch of project managers. (Someone correct me on this, and then reach out about being on the podcast).
> The Snowden stuff is extraordinarily excerpted to that which a contractor (Snowden) was seeing
I highly recommend you read his autobiography. The typical Beltway career in IT is getting clearance and then coming in as a contractor, there is nothing out of the ordinary here.
Adding to that, he was directly employed by the CIA from 2006 to 2009. The "contractor" line is a really sad attempt to discredit him.
I would love to hear more about how Menn's book about a clique of nerdy teenagers shaped your opinion of NSA. (Some of those nerdy teenagers are friends of mine; we were nerdy teenagers of the same vintage. I'm not dunking on them.)
You’re right. The US IC has shown time and time again that they have no moral compass, no regard for the US Constitution, and no regard for human rights or the rule of law.
That said, neither do a lot of hackers. There is a long history of collaboration between hackers and the military-industrial complex. Silicon Valley is Silicon Valley because of the DoD. And the director of the NSA once gave the keynote at DEF-CON.
Even the best hacker movie, from which I take my nick, ends with the hackers assisting the NSA as if they are the good guys. :(
Intelligent people like Snowden don’t become
as deep into the NSA as they are without a whole lot of “good guys” propaganda for many years first.
That’s a distinction without a difference. He was directly CIA for a bit, and went through the revolving door to a contractor who was placed at the NSA. It really doesn’t matter which corporate entity’s name is on the pay stub; it’s all the same public-private scam. Whether or not Booz gets a percentage of the tax money firehose for running the payroll or not is of no import.
All of this is covered in his book, which is a decent read. I recommend it because it’s information dense and quick.
Furthermore, I said he was deep into the NSA (which he was), not that he was employed by them.
The NSA was effectively blinded for a period of time. Do you think bad actors didn't take full advantage of this? Where did Snowden work prior to NSA? Why doesn't Julian Assange have a Hollywood film?
> Anyone with an email address from a recognized U.S. school or university may participate in the challenge.
Aww, that's not so fun :( Was kind of curious to participate, but seems it's US + students only. Kind of makes sense that it's US only I guess, but why only students?
They primarily do. Someone else on the thread says they do some industry hires, but everyone I know who worked there was recruited from engineering school.
I know a few people who went in as experienced hires, but the NSA in particular is happy to do high-paid contracts if you have the appropriate skills, so most of their actual employees seem to be straight out of school.
They primarily do. Someone else on the thread says they do some industry hires, but everyone I know who worked there was recruited from engineering school.
I remember a bunch of TLAs approached most of my friends in college, but never took an interest in me.
At the time I thought, "That's stupid. I'm the best phreaker in this NPA!" Later I realized this might be a liability, not an asset.
There are many pathways and schools internally for the different directorates.
Most programs are partnered with outside schools, with some giving you course credits for internal classified work and only requiring a few outside unclassified courses to fulfill needs. Many of these are MS degrees. I got one through one of these programs. Which come in handy with restrictions on promotions / positions based on ed reqs.
but they generally are not the type to be filtered by an email domain requirement.
They are exactly the type to filter by something as "trivial" - 99% of their target audience is Math nerds with .edu emails.
The other 1% will go the other 99% of the way to acquire the needed materials to satisfy the target condition. Which in this case, is a room-temperature check compared to the challenges.
They do, as do machine learning/AI firms, insurers and other actuarial firms, and, of course, academia. Like every other postgraduate specialization there are subreddits full of threads of people discussing "what am I going to do with this doctorate I'm getting if I don't end up becoming a tenure-track professor?".
PhD's in Math are very rare, and uneconomic. Aside from Wall Street and Langley, no one outside of SV Talent recruits are paying for someone who has spent their prime thinking years considering the viability of certain types of "up-my-sleeve" numbers - no one else has that capital for specialty, almost certainly fruitlessly, since infosec advantage isn't sum-net-zero. Any APT that will pay will have a slight advantage; that opportunity cannot be simply absconded.
That is why NSA skews the average with their hiring practice, let alone indirect contractor influences - although the pure math SME's are held tighter to the chest than even private contractors can boise.
> aren’t logically inconsistent.
Sure, if you remember PhD's in Ecliptic Curve Cryptography or Number Theory or applied but pure 'XYZ' field of promising arcane mathematics are extraordinarily rare, and skew towards a certain demographic as well. The motivated, undeterred, socially-inept few.
And the former is similarly not evidence that they mostly hire people with edu emails.
I can tell you, objectively, statically, that those who have Math degrees have a lower chance at needing help resetting their password to their .edu email. And a much, much higher chance at actually graduating with a grace period and mental clarity to leverage it for a brief window during their opportunity. You can (kinda) check yourself at https://nces.ed.gov/ and https://analytics.usa.gov/,
As the excellence required increases, the numbers get low enough, you can hire ALL the talent. And have enough 'explanatory' budget left over for institutional-preserving things and normal bureaucratic neo-con noise.
You can hire more Math PhD's than anyone, and still mostly not hire math people.
There are very, very few Math PhD's that can, even theoretically, threaten the current risk portfolio of our nation. But if they even did exist, you would not want to signal them out by being the only one they hired.
All signals require noise. Work cannot be performed absent a temperature gradient.
PhDs in math are not in fact rare, and having attended numerous cryptography conferences I can assure you they're a lot more socially normal that computer nerds in general are.
The irony being that your mathy conferences didn't mention the observational bias of conferences themselves filtering towards "socially normal people" than "computer nerds in general"
You are comparing those who speak a language very few can fathom to a magnitude more, less specialized, more general base, which in itself, is a superset of math nerds.
Almost all math nerds are "computer nerds" to the-non STEM type.
Control for proper prevalence and youll find your circle is much smaller than you wish you would believe.
Even if they hired the sum graduating phd class of every math program in the country it wouldn’t change the fact that math phds are not their hiring target.
They have to hire N non-math phds for every M math phd they hire to support their hiring metrics. Like every other large technical bureaucracy in the world.
None of that has anything to do with advanced capabilities and, again like every other technocracy, has to do with management and ops.
I got the point. I can be wrong then, for the collective interest.
Even if they hired the sum graduating phd class of every math program in the country
If all the elite Ivy League math outlets followed a similar excellency distribution that would be a waste of budget. But the top 5 PhD's at the top 3 institutions are far more capable then the sum of the remaining, especially to the incredibly niche, relatively uninteresting, math domains that actually impact national security.
country it wouldn’t change the fact that math phds are not their hiring target.
here? of course not. Math PhD's in general? not even.
but the absolute best of those math PhD's already got poached; the challenge like above is dredging for raw infosec talent
they have to attract and retain the most misunderstood talent in the world in the most specific field with the smallest initial return on investment per head.
not doing so hands the lead over to adversaries, that maintain a near-constant academic/competitive edge due to domestic ...infil.
None of that has anything to do with advanced capabilities and, again like every other technocracy, has to do with management and ops.
What a coincidence then, they average quite a lot more crypto-maniacs per capita then public sentiment would care to ever be let suggested.
It is so bizarre that a very-well known factoid is so earnestly debated.
I completed the 2022 version of this and received some nice NSA memorabilia. It is a fun challenge, but it is pretty difficult to complete it all. Looking back at 2022, it looks like maybe 100 people completed the entire challenge.
> it looks like maybe 100 people completed the entire challenge.
It looks like (https://nsa-codebreaker.org/leaderboard_2022) at least 350 schools has a "School Solve Times" that isn't null, so unless some students are enrolled in multiple schools, it seems like way more than 100 people managed to solve it.
Go to Task 9 at the bottom. 40-someting schools had people score, about 102 people scored on that task (more completed it though, not sure what the difference is, hand counted so may have miscounted).
Correct, which is why I say 100-something. For some reason, they put all the schools in every table. Just a guess, but I assume "scorers" are only people who solved it in the limited time window.
I got this error while trying to register. Does anyone know a simple way to bypass this ?
"Sorry, that email domain is not recognized. -- An email address from a recognized U.S. school or university is required. If your school's domain is not recognized, please request it to be allowed by clicking HERE"
Just looking at the site it seems they pull from an approved list of .edu domains so I think 2 probably wouldn't work unless you could social engineer you way onto the approved list. The ones sold by Hafis might not either, I didn't see a list of approved institutions readily available though.
Just because it's a computer security challenge doesn't mean you should start breaking into the website before the challenge begins. That's akin to suggesting that boxers who were deemed not to qualify for a competition should punching the referee to prove otherwise; what's normal inside the sport can be entirely unacceptable outside it.
I agree, but it clearly says you need an edu email. Either you have an edu email, or by asking how to skip that check you're trying to circumvent the website limitations. So in spirit, you're already trying to break in, just through different means :)
If you don't have a family, the Air Force won't let you fly a plane.
You think being Omni-potent in a modern world wouldn't bring its own shade of problems?
It's more akin to the boxers who were deemed not to qualify cuz their deemed arbitrarily too old remind the judges of their youth, all in good fun.
If you cannot get access to an @edu email for long enough to verify a 2FA between Facebook familiarity and now, you likely aren't of the caliber outside of the domain specialty that can be entrusted with that magnitude of information.
If you don't have a family, the Air Force won't let you fly a plane.
Can you cite a source for this? I'm acquainted with some USAF people and have close friends with fighter pilot siblings (I know, family) and I have never heard this before. If by "family" you mean "a spouse", the people going up in trainers are too young to have built families, so that can't possibly be a DQ.
In fairness: so too does the claim that this is a test of whether you can hack a .edu email address, like it's 1994 and the next test in their CTF is whether you can find an X.25 outdial. No, they're just recruiting from engineering schools, like everyone else!
Career tip: if hoping for a GG-whatever role at NSA, recommend not committing crimes in the process of trying to impress them. They are a lot more boring than you think they are.
Career tip: if hoping for a GG-whatever role at NSA, recommend not committing crimes in the process of trying to impress them. They are a lot more boring than you think they are.
well, its not a really a crime when you do it for the homeland. also not a crime if its boring.
Is it cheating to use commonplace AI? NSA are a practical bunch, they probably dont much care how one solves the problems, but AI could change the nature of such tests. The rules say no getting help from persons, which leaves the AI door open imho.
(Fysa, there is a reasonable chance that someone involved in this competition is following this topic. HN is known in the more nerdy corners of the int/defense world.)
Do US universities offer their pupils email addresses forever, or many decades past graduation? Or is the challenge exclusively for current US students?
I lost access to my (European) inboxes a loooong time ago.
I still have my email after graduating 11 years ago. I was able to sign up with it, selecting "Alum" as the best description of my relationship with the college.
It depends on the school. Some have an "email for life" thing, one school I attended tied that to a (relatively low-cost) annual "donation". Many close your account once you graduate, though.
P.S. if you do well, the NSA sends you swag; I have a couple of very nice signed letters and NSA medals that look great in my office :)