I encourage you to gain unauthorized access to my computer or accounts.
If you do, I'm offering a treasure hunt price in bitcoin.
Inspired by my friend @NikolasKAMA.
Try to steal these:
Beating me up or threatening with physical violence is not fair game. Blackmailing or physically stealing my laptop or computer from my hands while I'm using it is also not allowed.
I have not secured my home against physical break-ins.
Don't break into my house for these bounties. It's okay if I let you in.
My phone and laptop computer are logged in to Facebook, Twitter, and Gmail. If you manage to find them unlocked, you'll be able to retrieve these.
The point of the game is to educate people on security. If you find a vulnerability, but are unable to fully exploit it, please let me know. You may be able to receive a partial bounty without retrieving the hidden treasures.
As an aspiring security professional, I am required to maintain a certain level of paranoia and best operational security practices when it comes to my accounts and systems. In order to have a rigorous threat model, my security must be associated with a monetary value. Putting a bounty on it gives me a certain amount of confidence that my security has a certain financial lower bound.
I work on cryptography and other security tools which require high level of security. Access to my computers or accounts could negatively affect the people using my tools.
I am also associated with the bitcoin and infosec community and I work on open source projects all the time. Access to my computers or accounts by malicious parties could negatively affect my open source projects. Many people rely on my GPG signatures on my commit access to make sure they are secure. If my signatures are to be treated as trustworthy, I need to have some confidence that my systems are secure.
Also don't violate my privacy, steal my bitcoins or make GPG signatures in my name. Follow common sense.
Typical theoretical treatments of operational security remain problematically unpragmatic even when performed by experienced professionals. As you will see in the list of successful past attacks, even though I am somewhat aware of my security, often the cheapest and easiest ways of attacking are unexpected and I tend to be worrying about more advanced problems when I am vulnerable to the simplest possible attacks.
By encouraging white-hat friends and colleagues to attack me and disclose their methods, I am protecting myself against malicious attackers who could attempt targeted concealed and persistent attacks. White-hats and black-hats use similar methodologies. If the bounty is collected, I improve my defences and certain methods are no longer applicable.
I do not base my security on obscurity. Therefore, I am disclosing my basic policies here so that I can help potential adversaries who are treasure hunting. While I try not to, I may deviate from these policies under social engineering pressure, so even though I may think I am secure, it may be worth a shot. Some of my policies are outlined in the Hall of Fame above.
Several friends are also following this bounty game, as they also feel it helps them improve their opsec practices. Their bounties are listed below. Their rules of engagement are similar to those above. If you have a bounty on your machine, let me know and I will add you to this list.
Steal the e-mail with the subject Bounty secret #1 from his Gmail.
Steal the Facebook note called Bounty secret #1 from his Facebook.
Steal the direct message from him to himself on his Twitter.
Steal the secret file ~/.bounty from his personal MacBook.