OTB @ DC16: Roll your own contest.

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • sk00t
    Productivity Vortex
    • Jun 2007
    • 142
    #1

    OTB @ DC16: Roll your own contest.

    So I liked the banking / card merchant scenario I'd been working on. I have a tarball sitting around right now with 120,000 fake names and CCNs waiting to be put to good use.

    But.... When the most interested parties on the forums are telling me it's horked I can take a hint.

    Since last year much of what we came up with came from input here, I'm going to circle back at this point and ask for the same thing this time around. Believe it or not, we are actually way ahead of where we were last year!

    So... What are you wanting to see in terms of a defender contest at DefCon?

    You have the following constraints to operate under:
    • Somehow, entries have to have a real attack surface and attackers have to have a fighting chance.
    • Compromise has to be empirically measurable.
    • IPV4, 10/100 ethernet. 48 port switch. Attackers will not be on the same layer 2 LAN.
    • A dedicated and highly motivated base of attackers, for reasons that I'm going to keep hush-hush for a bit.
    • Ideally, the stakes should go up progressively.


    So, whether you're a defender, an attacker, or just someone with too many opinions, what would you do?
    3
    ... should stay the same as last year.
    100.00%
    3
    ... should be something different.
    0%
    0
    "Raise a toast to ... I think he might have been our only decent ."
    Tags: None
    • konstantinkoll
      Member
      • Nov 2007
      • 6
      #2
      Re: OTB @ DC16: Roll your own contest.

      I am travelling to DefCon specifically to let people try to hack my own operating system / HTTPD (see http://www.deskwork.de/ for a German webpage on it).

      I would - among free files for testing and browsing - put three tokens on my laptop: one password-protected text file (the HTTPD and file system support password protected files), one text file in another account (should neither be visible nor acceassble), one text file in the root file system (the same).

      I'm willing to bring some cash for those who retrieve the text files (like $100, $50, $25). The five points above are fine for me.

        Comment

        • Homeslice (tm)
          n00b
          • May 2008
          • 18
          #3
          Re: OTB @ DC16: Roll your own contest.

          IMO it should be like CTF only with us building the target boxes. Can we glom onto the CTF scoring system somehow?

          How about setting a service list of ports that must be functional... ie, working with test data you provide, or hosting a site that you provide. That way you can be assured of a reasonable baseline of attack surface, and then assign a series of flags to each box with values varying with level of access demonstrated by possesion of the flag.

            Comment

            • sk00t
              Productivity Vortex
              • Jun 2007
              • 142
              #4
              Re: OTB @ DC16: Roll your own contest.

              Originally posted by Homeslice (tm)
              IMO it should be like CTF only with us building the target boxes. Can we glom onto the CTF scoring system somehow?
              The service description and points per transaction thing was more or less glomming onto CTF's scoring system, though different groups have done it different ways over the years -- points for a "good" transaction, points for an "own". That said, as everyone has pointed out, this is a lot harder for something that's encouraging folks to do their own thing, with platforms and hardware all over the map. For the last few years Shoto and associates have been providing prebuilt servers or VMs / jails at contest start to defend.

              http://www.nopsr.us/ctf2007/overview.html
              http://www.nopsr.us/ctf2006/overview.html

              Originally posted by Homeslice (tm)
              How about setting a service list of ports that must be functional... ie, working with test data you provide, or hosting a site that you provide. That way you can be assured of a reasonable baseline of attack surface, and then assign a series of flags to each box with values varying with level of access demonstrated by possesion of the flag.
              I'm open to providing "reference" apps that implement the protocol and are measurable in some way for defenders to run -- say, a web app in PHP/Ruby/etc, some network services, etc. If someone wants to use the reference app as a way to build their own service, they could, but folks could also just install them.

              The hard part there is that they will pretty much have to be either source code or interpereted / scripting languages like Python/Perl/PHP/Ruby/etc, since I'll have no way of knowing what the underlying platform / OS might be...
              "Raise a toast to ... I think he might have been our only decent ."

                Comment

                • Homeslice (tm)
                  n00b
                  • May 2008
                  • 18
                  #5
                  Re: OTB @ DC16: Roll your own contest.

                  Originally posted by sk00t
                  The service description and points per transaction thing was more or less glomming onto CTF's scoring system, though different groups have done it different ways over the years -- points for a "good" transaction, points for an "own". That said, as everyone has pointed out, this is a lot harder for something that's encouraging folks to do their own thing, with platforms and hardware all over the map. For the last few years Shoto and associates have been providing prebuilt servers or VMs / jails at contest start to defend.

                  http://www.nopsr.us/ctf2007/overview.html
                  http://www.nopsr.us/ctf2006/overview.html



                  I'm open to providing "reference" apps that implement the protocol and are measurable in some way for defenders to run -- say, a web app in PHP/Ruby/etc, some network services, etc. If someone wants to use the reference app as a way to build their own service, they could, but folks could also just install them.

                  The hard part there is that they will pretty much have to be either source code or interpereted / scripting languages like Python/Perl/PHP/Ruby/etc, since I'll have no way of knowing what the underlying platform / OS might be...
                  Well, to be honest, I can't think of too many platforms that can't be made to run any of those interpreters mentioned. Then the issue is in ensuring that the reference apps don't give up the ghost under attack. That is not a real issue for me at least, I just don't want to have to code an app from scratch to implement this scoring method simply so we can score how well my box does. In my opinion it is pwned or not pwned. I'm not in the contest to win anything, the struggle is the reward for me and I hope I do get pwned so I can learn something from it all.

                  A script is the best way IMHO since most can be easily ported from one plateform to another. The app is just a way for you to keep score and ensure that attackers have something to attack instead of a default instance. Like I said, I don't mind securing an install or a script, I just don't wanna write the damned thing myself (because I suck at writing code) from scratch, or have to babysit the thing all weekend.

                    Comment

                    • HAL999
                      Just another funster
                      • Jan 2008
                      • 27
                      #6
                      Re: OTB @ DC16: Roll your own contest.

                      Skoot,

                      I tend to side with Homeslice's thinking on services/ports and hosting of apps. IMHO (and it is *simply* an opinion), it might be easiest to specify simply a range of things that entrants must provide (one web app, one admin interface [i.e., ssh on 22], etc.) so that each entry has to offer some sort of reasonable 'face' to the Net, for each contestant to have at.

                      It may also be best to remember that this is fun, not work, and should be a 'good time in vegas', instead of 'electronic title-fight tap dancing for domination of the digital world' - enough of that in day jobs.... and it's three days... what are you really going to do in three days?

                      And I second Konstillkroll's tiered reward, that is exactly what I would offer might be of interest (a sliding scale) based upon level of access. In dollars, euros, yen, quattloos, whatever you like...

                      Also - I know the point about jabbing the staff was a bit harsh (humblest apologies), but it would be nice to be plug and play, so contestants get all time available for Net fun....

                      It is a contest for shirts as well. I'll bring a few 'deaf-mutes' in addition to dineros...

                      Best, HAL
                      ZZ

                        Comment

                        Previous template Next
                        Working...