http://ownthebox.cipherpunx.org

0wn the box? Own the box!

Are you a defensive ninja? Are your services unbreakable, your builds airtight? Do your countermeasures have countermeasures for counter-countermeasures?

So prove it, bucko... Bet your box on it, on the most hostile network in the world.

Bring your laptop/server/desktop, hardened to the nines, running exactly two (2) visible services, to our specs, and we'll offer you up for the slaughter.

The first person to compromise you walks away with your gear. When you're 0wned, you're owned. It's that simple. The last box(en) standing, unowned, wins, and the winner(s) can take his/her precious back home, safe in the knowledge that if it survived at DC, it can survive anywhere.

For the other side of the fence, the reward is clear... Pick your target, 0wn the box, and own the box. A shopping spree for the elite.


This contest will be a great addition to the contest lineup. It will be on the DC site soon, the contest organizers will be holding a sign up on the forums, more info to come soon. Im really excited to read what you guys come up with for hardware too.

hmmm a great way to get rid of old equipment.

Hacker pinkslips

Hacker pinkslips

You got it. I'm hoping we can get some folks to bring some interesting gear. I have one c64 with web server signed up now...

Anyone who wants to sign up, please send me a PM for more details.

How cool would it be to have a shirt that said "Nobody 0wned me at DC15!"?

If the services are simple then it shouldn't be too hard to write secure code. Just disable all the remote admin stuff, make sure your code doesn't have buffer overflows... It should be pretty easy to make an unbreakable box. What are the "two services"?

If the services are simple then it shouldn't be too hard to write secure code. Just disable all the remote admin stuff, make sure your code doesn't have buffer overflows... It should be pretty easy to make an unbreakable box. What are the "two services"?

Roger that, totally understood. I initially thought it best to be vague, but maybe I should get some more detail out there.

The two services will need to actually be complex (a forum like this one, a CMS, a functioning mail server, etc), and not just sit there, be patched, and offer up a banner.

There will also be two stages, the first day being remote only, the second day we'll up the stakes, requiring you to give out accounts or shells, so entrants will need to also think about authenticated users local to the box.

Complexity breeds exposure, so an entrant should expect complexity.

heh.. I still have a bunch of reading to catch up on this new contest... but I have to comment, sk00t has .. bar none.. the best Uncle Ira avatar on the forums.

I think this is a cool contest, but the way it reads, if you lose, you lose your box, but if you win you get to keep your box. There must be additional prizes...otherwise the risk/reward ratio seems pretty weak if you are just trying to fend off others, not actually attack.

Other than the joy of keeping your own equipment, are you offering anything up to the winner?

I think this is a cool contest, but the way it reads, if you lose, you lose your box, but if you win you get to keep your box. There must be additional prizes...otherwise the risk/reward ratio seems pretty weak if you are just trying to fend off others, not actually attack.

Other than the joy of keeping your own equipment, are you offering anything up to the winner?

Actually, you don't need to bring a box to participate, you can obviously be an attacker without bringing a box... Or maybe you should? "Upload ratios enforced"?

The idea was to make this something more casual, where it doesn't require someone to spend the whole con, like CTF / aCTF (which are very cool, don't get me wrong...). So, as an attacker, you can sort of pop in and out, as interested.

If you're a defender, and bring a box, yeah, you're right, what's the reward? At a minimum I am promising "Nobody 0wned me at DC 15" shirts, and we'll be part of the awards ceremony, but yeah, I dunno yet. What would entice someone to do this?

I'll think hard and see what I can come up with to encourage people.

For me, I thought it would be a fun way to unload some hardware. I'm also going to hassle as many security-centric projects as I can and see if I can get a bite or two... Updates as warranted.

Actually, you don't need to bring a box to participate, you can obviously be an attacker without bringing a box... Or maybe you should? "Upload ratios enforced"?

The idea was to make this something more casual, where it doesn't require someone to spend the whole con, like CTF / aCTF (which are very cool, don't get me wrong...). So, as an attacker, you can sort of pop in and out, as interested.

If you're a defender, and bring a box, yeah, you're right, what's the reward? At a minimum I am promising "Nobody 0wned me at DC 15" shirts, and we'll be part of the awards ceremony, but yeah, I dunno yet. What would entice someone to do this?

I'll think hard and see what I can come up with to encourage people.

For me, I thought it would be a fun way to unload some hardware. I'm also going to hassle as many security-centric projects as I can and see if I can get a bite or two... Updates as warranted.

Like I said, I think this is a cool contest.

I am interested in participating, but basically from the standpoint of build it and drop it off (I have too much to do to actually sit there for any period of time) and see if my config/scripts/etc can withstand the attacks. That said, if all I get for my effort is my own computer that I already had, it seems like kind of a waste...although I do agree that the knowledge that you were able to fend off the attackers is pretty slick in and of itself, but I don't think that makes up for the risk of potentially losing the box.

As for what would entice folks..I don't know...but you'd think that the reward would need to be rather significant to even out the pot odds.

Like I said, I think this is a cool contest.

I am interested in participating, but basically from the standpoint of build it and drop it off (I have too much to do to actually sit there for any period of time) and see if my config/scripts/etc can withstand the attacks. That said, if all I get for my effort is my own computer that I already had, it seems like kind of a waste...although I do agree that the knowledge that you were able to fend off the attackers is pretty slick in and of itself, but I don't think that makes up for the risk of potentially losing the box.

As for what would entice folks..I don't know...but you'd think that the reward would need to be rather significant to even out the pot odds.

Build and drop it off is exactly the intent. In addition to not having space to set up for the keyboards / monitors / etc, to me it would be kind of unfair to let people sit and babysit their boxes.

So yeah, you'd be expected to hand it over, and (hopefully) get it back at the end of con. I'm still puzzling on rewards. I will nag Kita / Russ and see what schwag they can come up with.

Of course, this is Vegas, and if someone's absolutely confident their stuff is unownable, no matter what, what's to lose? :)

Attackers could provide something in order to be assigned an IP address to use, and then the defenders get to keep the attacker's goodies when the attackers don't come in first, second or 3rd by # of boxed "owned".

Entrance fee? Booze? Money? Food? Something else?

Give the attackers something to lose as well. :-)

Attackers could provide something in order to be assigned an IP address to use, and then the defenders get to keep the attacker's goodies when the attackers don't come in first, second or 3rd by # of boxed "owned".

Entrance fee? Booze? Money? Food? Something else?

Give the attackers something to lose as well. :-)

There's always the possibility of vigilante justice if someone walks in with an 0day and grabs ten boxes in a swipe. We're not promising security after you walk away with the box and leave the con area.

This could get ugly...

BTW, one update, I got one offer of a low-serial number NeXT box. Right now my count is somewhere around 5, and I haven't started on my own stuff to bring yet.

Still working on the defenders prize side, I may have tracked down a patron. :biggrin:

heh.. I still have a bunch of reading to catch up on this new contest... but I have to comment, sk00t has .. bar none.. the best Uncle Ira avatar on the forums.

It's actually Che Stallman (http://www.businessreviewonline.com/os/archives/2007/02/stallman_orders.html), but yeah, sans glasses and Hackercrombie tee, you're right, the resemblance is pretty uncanny...

Build and drop it off is exactly the intent. In addition to not having space to set up for the keyboards / monitors / etc, to me it would be kind of unfair to let people sit and babysit their boxes.



Just curious, how does this fit in with day 2? You mentioned that day 2 would require interaction, accounts, etc. How are we supposed to do that if we drop the box off on day one and walk away?

Just curious, how does this fit in with day 2? You mentioned that day 2 would require interaction, accounts, etc. How are we supposed to do that if we drop the box off on day one and walk away?

We'll provide the creds to the entrants beforehand and publish them on the second day.

yeah, OK so far this looks the most interesting out of the new contests (sorry Panadero...I even suck at toy guitars). I await further details in the FAQ regarding the custom service we need to run but I guess if a C64 will run it then a 286 should be fine.

Now, where the hell are my DOS 2.0 disks and wu-FTP 1.0a files.....

yeah, OK so far this looks the most interesting out of the new contests (sorry Panadero...I even suck at toy guitars). I await further details in the FAQ regarding the custom service we need to run but I guess if a C64 will run it then a 286 should be fine.

Now, where the hell are my DOS 2.0 disks and wu-FTP 1.0a files.....

Basically the only requirement is that at least one of the services have some second layer that requires authentication. On day two, we'll give out creds for all the services, so you'll need to have something to log in to. Beyond that, the services listed in the FAQ are the suggestions.

The only reason we say "running two visible services to our specs" in the announcement is that I don't want to waste everyone's time with a bunch of stuff sitting there offering up one static HTML page and a fake SMTP server with a banner that says "go away".

286 will be fine, as long as you've got a network jack. The c64 entry (which I'm still waiting for detail on) would have one (http://www.dunkels.com/adam/tfe/pictures.html) as well, if it makes it.

Do we get to attack the attackers as well? Seems to me that if if you want to play, then everyone needs to be on the defensive and anyone is open to attack and losing their box.

Do we get to attack the attackers as well? Seems to me that if if you want to play, then everyone needs to be on the defensive and anyone is open to attack and losing their box.

This is not CTF, so you actually hand the machine over and are expected to leave it alone until the end of the contest, and you don't have to bring a box to play.

What you're describing would (to me) be too much like existing contests, albeit with higher stakes and without a team aspect. The idea is for this to be sort of a real-world analogy for what running a box with public services on the 'net is every day... You versus the world.

So... The attackers are actually anyone and everyone who wants to go after a given box. My hope is that we'll be up on the DC Wifi and accessible to everyone, but at a minimum I will have 48 ethernet ports available, and anyone can walk up and cable in.

That said, I suppose if one of your accessible services was for example SSH, you could be logged in and play whack-a-mole with all the stuff coming at you.

As far as attacking the attackers (keeping in mind the source machines likely aren't entries in the contest), from my experience this would be no different from typical traffic on the con network, wouldn't it? :biggrin:

As far as attacking the attackers (keeping in mind the source machines likely aren't entries in the contest), from my experience this would be no different from typical traffic on the con network, wouldn't it? :biggrin:

But if I own somebody on the con network, I don't get to take their box home.

If I log in to my box and see somebody is trying to attack me, I should be able to then try attack the attacker in return.

This adds an element of risk for the attackers as well. If they want to show their stuff, they better be able to also defend themselves appropriately. They don't need to have any services open. Just as in the real world, someone attacking you would be stupid to leave themselves vulnerable. However if they do, and you're able to root them, you get to take an extra laptop home with you.

The attackers just need to make sure their box is completely locked down also. However I'll bet a few of them may not be, and this would add an additional element to the game. The attackers shouldn't be left in a completely risk-free scenario.

Besides, it'll probably happen anyhow. I'm sure some people will be attacking vulnerable attacker machines just for the sport/fun/be-a-dick.

This adds an element of risk for the attackers as well. If they want to show their stuff, they better be able to also defend themselves appropriately. They don't need to have any services open. Just as in the real world, someone attacking you would be stupid to leave themselves vulnerable. However if they do, and you're able to root them, you get to take an extra laptop home with you.



I did have the same thought, and I personally like the idea. I think the problem right now is that because we're already a late comer to the contests I'm not sure we can change the requirements now that we already have about 10-15 boxes. Everyone else entered is purely coming in as a defender now.

BUT -- I do like this concept, and I think others would as well. The intent is a little bit different in that the proposed approach is something I can see people spending a majority of their time at the con on, but I really like the idea of something CTF-like that is solo, rather than team-oriented. Part of why I wanted to do this is that I always want to do CTF but don't have a posse and don't want to join someone else's. :)

I'd say let's try things out with the current route and then go from there. This first year is an experiment, and based on feedback and what everyone thinks we'll grow and change as we go along.

If interest turns out to be very high, I see nothing wrong with requiring people to bring their own entry in order to participate. For right now, though, I know that as long as I can get enough defenders there will be no shortage of attackers, so we're guaranteed to have something workable out of the gate, as a new contest.

But again, hold on to the idea, and let's talk during con and see if this is a change everyone would like to see for next year.

Fair enough.

I'm thinking of putting up a locked down windows server to see how well it holds up. Not sure if I want to risk losing the laptop though, it'll depend on what the reward potential ends up being, and if I go to DC at all this year.