I recently talked to Kevin Browne of Software Hamilton about Cryptogeddon. That discussion turned into this Q & A Interview on the Software Hamilton website. I’m reblogging the interview here as well. And, I’ll be speaking at Software Hamilton’s DemoCamp 13 at Mohawk College tomorrow night (Tues Sep 24 2013). You should come! There’ll be lots of great speakers. Come check it out.

And now, on to the interview:

Cryptogeddon (@Cryptogeddon) is one of the most original concepts for a game that I’ve heard of in recent memory. The first Cryptogeddon mission pack is now available for purchase for $0.99. Cryptogeddon creator Todd Dow (@toddhdow) works as Senior Digital Specialist at Postmedia here in Hamilton, and he will be showing off the game at DemoCampHamilton13 on September 24th. Check out the interview with Todd below:

Tell me about yourself.

I work full time at Postmedia as a Senior Digital Specialist. In my spare time, I like to write. And, I am an avid fundraiser for Cystic Fibrosis Canada. My 6 year old daughter has CF and our family is desperate to find a cure for this terrible, fatal disease. My wife, my kids, faith, baseball, infosec & devops are a few of my favourite things.

What drives your passion for infosec?

I enjoy the puzzle aspect of information security. Keeping and uncovering secrets results in a constant game of cat & mouse between those trying to protect information and those trying to uncover information. This results in constantly evolving and improving technology. I really enjoy the excitement and interesting developments that this entails.

And, infosec has a long and storied past – it is intimately entwined in many of modern history’s greatest conflicts: World War I & II codebreakers, cold war spies and current NSA revelations via wikileaks and Edward Snowden are just a few examples. These all make for great stories of how technology has helped shape history.

What is Cryptogeddon about?

Cryptogeddon combines two words: Crypto is short for cryptography, which is the practice and study of hiding information. Geddon is short for armageddon, which infers end times in some way. Cryptogeddon suggests the end of secrets and what that might entail.

Cryptogeddon provides various missions, each of which challenges the participant to apply infosec tools to solve technology puzzles – an online scavenger hunt, if you will. The missions span a variety of targets, tools, techniques and scenarios. At first glance, the missions may seem discrete and unconnected. But over time, I suspect that a common theme and storyline will emerge.

Ultimately, I am trying to create something that will highlight the boundaries of privacy and to reinforce the fact that very little can be kept secret anymore.

Who are your target users for Cryptogeddon?

People that are naturally drawn to puzzles will enjoy Cryptogeddon. Obviously, people that have an interest in infosec, cryptography and computers will be target users for Cryptogeddon. The challenges presented by each mission will keep these people engaged. People looking to learn more about these topics will also benefit, as each mission provides a complete solution including step by step instructions, screenshots, and links to additional resources.

What can we expect in the first Cryptogeddon mission packs?

You can expect a good overview of the infosec landscape. You’ll see a few common types of scenarios:

• Recovery of stolen data;
• Identification of system vulnerabilities;
• Identification of organized crime members and the location of stolen property;
• Assess the security of business systems;

You’ll get to analyze a few common platforms, including:

• Linux & Windows
• Apache, IIS
• Amazon Web Services
• Android & iOS
• WordPress
• Various social media platforms including Twitter, Google+ & Facebook

And you’ll learn how to apply various infosec tools, including:

• TrueCrypt
• md5
• SSH
• openssl
• Metasploit & Kali
• Nessus

How frequently do you plan on releasing mission packs?

I plan on releasing at least two mission packs each month.

What tools did you use to develop Cryptogeddon?

I use a variety of tools to build each mission. The main deliverables consist of mission packs (ebook) and solution assets (virtual machines, photographs, text files, etc.).

Each mission varies, but in general, I use the following tools and services to build and deliver the solution assets:

• Amazon Web Services: EC2 & S3 primarily
• TrueCrypt
• md5
• SSH
• openSSL
• Metasploit & Kali
• Nessus
• And a variety of editors depending on the task, including TextEdit, vi & Coda 2

Additional tools and services will be used in upcoming mission packs.

And I use the following tools to build the ebooks and deliver them to customers:

• Google Docs (for writing)
• Photoshop & Illustrator
• Shopify & Amazon Kindle Direct Publishing Service (for sales and fulfillment)

Do you have any beta testers?  Or would you be interested in any?

I do not currently have any beta testers, but I would love to have a sanity check before launching each mission out into the wild. If anyone’s interested, please send a tweet to @cryptogeddon with the subject line: “#BetaTester for Cryptogeddon.”

Why did you decide to make Cryptogeddon?

After attending Sector in 2012 (Sector is one of Canada’s largest annual IT Security Conferences), I commented to a friend of mine that I would love to see a presentation where the presenter walked the audience through a complete infosec scenario, starting with a plausible story, including characters, places and events. From there, the presenter would walk the audience through setting up the environment, selecting and installing basic tools, conducting initial scans, testing and identifying weaknesses, gathering evidence, etc.

I think this is a gap in the current infosec marketplace. You can read books that teach you how to use specific tools. You can read books that tell you stories about real or imagined infosec missions. But there are various few books that creatively mix a storyline with a technical challenge that the reader can directly interact with.

And similarly, there are a few capture the flag type events out there, but they happen infrequently and very seldom are there opportunities to have “on demand” scenarios that you can play anytime, anywhere.

Right after Sector in 2012, I said that we should try and build such a product to share at Sector 2013. My friend and I talked off and on about the idea for a few months, before I finally decided to give it some serious attention. My friend had other commitments, so unfortunately, he was unable to dedicate any time to this project. So, I decided to go it alone.

Did you run into any particular challenges making the first mission packs?

There are two particular challenges that come to mind:

First, building & sharing of server images: I was originally going to build the images using VirtualBox and then distribute the images using Dropbox, Amazon S3 or something similar. But, the VirtualBox images I was working with tended to be 1 GB or more in size, even for a small image file. I wanted to avoid the risk of high bandwidth charges and I didn’t like the idea of abusing Dropbox by opening multiple accounts to hold multiple images, so I decided to use Amazon EC2 instead. There is more effort required by participants to sign up for and learn how to use Amazon Web Services (AWS), but I think the extra effort is worth it in terms of educating Cryptogeddon participants on how to use the AWS platform.

Second, Deciding not to build a leaderboard: Early concepts of Cryptogeddon involved the concept of building a leaderboard to track progress and reward success. I think this is a great idea, but it would require a bunch of additional time and effort to incorporate a leaderboard into Cryptogeddon. I have been very focused on keeping the delivery of each mission as simple as possible. And, I wasn’t sure how much value a leaderboard would provide compared to the cost of building, implementing and maintaining it. So, for the time being, I’ve decided to skip the leaderboard.

What are you most proud of about Cryptogeddon?

Bringing the product to market. Seriously. You always hear how tough it is to be an entrepreneur. Not only do you have to build the technical product, but there are a million other things to take care of as well: choosing a business name, logo, design, prototypes, testing, marketing, decide upon pricing, sales and fulfillment mechanisms, finance & accounting, and more. And all of those items need to be done APART from developing the actual product! Building the missions has been a great deal of fun. So has all of the other stuff. But I’d say that for every hour I spend building missions, I’ve spent 10 hours on the other stuff.

A quote from a recent article from Fast Company really resonated with me:

Successful entrepreneurs distinguish themselves from wannabe entrepreneurs simply by swallowing their fear and getting started. Jake Bronstein, founder of Flint and Tinder, purveyor of high-end made-in-America men’s underwear, says waiting too long ultimately results in paralysis.

“Start right now, and don’t talk to experts until you have started. If everyone knew all of the trouble, all of the problems, all of the pitfalls that lay ahead of you (as the experts in the field already do) nothing would get done, certainly nothing new,” he says. “You don’t need a business plan, you just need a plan.”

It reminded me to keep working through the numerous barriers and challenges and reach that end goal of delivering a fun, educational and rewarding experience to infosec practitioners.

So yeah… I’m most proud of having the perseverance to actually get to market.

How can the community help you make Cryptogeddon succeed?

Two things: feedback and help spread the word. I’d love to hear what people like and dislike about Cryptogeddon. Both positive and negative feedback are helpful and will help to improve the missions over time. And spread the word – tell your friends about and share Cryptogeddon (@cryptogeddon & cryptogeddon.com) on Facebook, Twitter, Google+, etc. The more people talk about and share Cryptogeddon, the better.