[p2p-hackers] announcing the Hack Tahoe! contest

zooko zooko at zooko.com
Fri Jul 18 19:53:29 EDT 2008

  ANNOUNCING the "Hack Tahoe!" contest


Tahoe, the Least-Authority Filesystem [1], is a secure, decentralized
filesystem.  It is developed as a Free Software, Open Source project.

The Least-Authority Filesystem offers security and fault-tolerance
properties far greater than those of other distributed filesystems --
in addition to being protected against external attackers, users of
Tahoe are protected from the servers themselves, even if some of the
servers are malicious, and they are protected from other users, even
though they can choose to share specific files or directories with
specific users.

Security is nothing without usability, and to that end Tahoe
integrates cleanly with the World Wide Web using the principles of
REST [2], and it provides a simple and flexible method of sharing
access to your files (by sharing the URL of that file, using the
principles of Capability Security [3]).

We have created and deployed an implementation of the Least-Authority
Filesystem -- Tahoe v1.1 -- which we believe provides these strong
security properties.  However, we know that there is no substitute for
peer review, and so we are challenging the hackers of the world to
prove us wrong.  If you find a major security flaw in the design of
the Least-Authority Filesystem, or in the implementation of Tahoe,
then you win a customized t-shirt with your exploit and a big "Thank
you" from us printed on the front.  Also, you will be entered into the
Hall of Fame on http://hacktahoe.org .

Two people who discovered security flaws in earlier designs and helped
us to fix them have been retroactively declared as the -2nd and -1st
winners of the "Hack Tahoe!" contest.  Explanations of the security
flaws that they discovered, how we fixed them, and pictures of them
with their customized t-shirts are on the http://hacktahoe.org web

If you want to be the 1st winner of the "Hack Tahoe!" contest, you'll
have to find a security design flaw that we overlooked, or an
implementation mistake that you can exploit. The metric of success is
that if you discover anything which compels us to change Tahoe and to
alert current users about the issue, then your discovery is worthy of
a customized t-shirt.

Other than that anything goes, because one of the first rules of
security is that you can win by breaking the rules.  People are
already relying on Tahoe to store their files safely and privately, so
if there is any way in which Tahoe is endangering their data, we want
to learn about it as soon as possible.

To get started, see the description on http://hacktahoe.org of what
security properties Tahoe is supposed to provide.  That web site has
news, a live Tahoe storage grid which you can play with, example
targets you can attack, the Hall of Fame, detailed design notes, and
full source code.

Thanks, and good luck!


Zooko O'Whielacronx, on behalf of the allmydata.org team

[1] http://allmydata.org
[2] http://en.wikipedia.org/wiki/Representational_State_Transfer
[3] http://erights.org/talks/index.html

More information about the p2p-hackers mailing list