CTF submission #1 of 4

- Number of people in your organization (that will actively be participating in creating/planning/executing CTF):
20

- Experience team members have had in planning events (This could be a bake sale with 500 people, or a DoD briefings for 20 people, something that indicates some planning experience):

Coordination for training events for 40+ individuals.
Coordination semi-annual meeting of 20 corporation CEO's.
Coordination for activities of small groups of hackers to participating in ctf.
Experience with leadership of diverse hacking groups, attack forces and defensive forces
Experience with add-hoc generation of task teams to meet game or crisis needs
Access to a wide array of people which can be leveraged at and before con to problem solving and challenge meeting associated with the new CTF game.

- Technical ability of team. This would include a general list of people's abilities * networking, hardware, etc and support the idea you can pull this off:

Several professional developers of networks wireless
Two sometimes professional engineers of networks
Several professional security researchers/forensics analysts
One amateur sheep luuuuuva
Other really smart people

- Physical resources (if any) that you will be bringing to help run CTF such as a disco ball, robots or enigma machines. This to help us plan to accommodate it with the hotel if you require extra power or special fire marshal approval for your Cray 1 cooling towers.:

~10 servers
~3 routers
~1.7 chemistry sets (GHB and Vitamin K synthesis for sheep luuuuuva)

- What experience have your team members had in playing CTF in the past. This is not a requirement, but shows real-world knowledge of the game as it has been played in the past.:

Occasional participants in defcon CTFs over the many years. Some participation in other (not-defcon) CTF type exercises

- Explain you vision for CTF -Explain, in a general manner, your vision of your CTF.

We view the CTF as the venue for real hackers to demonstrate/practice their skills at breaking into computers by remote. While we recognize that there are many skills to hacking such as social engineering, lock picking and more we think that some of these skills are already tested in other contests running at Defcon. While other contests may be combined in some capacity, they will not be a core focus of our flavour of CTF.

- Explain how you hope the attendees will experience it. For example, they sign up on-line, get a secret package in the mail, start blindfolded with an unusual laptop? Are their certain crises points you will introduce during the game to confuse or add to the pressure?

Attendees wishing to participate in the team portion of CTF will be required to register in advance in order to participate in the team qualifying round expected to take place approximately 2 months prior to Defcon. We anticipate accepting nine teams (plus returning champion) into the team competition to take place over the three days of Defcon. An individual competition organized similar to the qualifying round may be also offered during the con. Such an individual round could be entered by anyone choosing to register at Defcon. The individual competition would be accessed on the conference wireless with a scoreboard displaying the current individual leader board in the CTF arena. Teams may be required to overcome some initial challenge such as picking a lock to obtain access to their network feed into the game. A mob style element may be introduced by providing a game connection to the chill out area/amateur ctf tables. The mob would effectively be a non-scoring team capable of attacking all of the other teams and introducing general mayhem (other than DoS attacks which will not be acceptable. Too great bandwidth consumption by the mob will result in disconnection. We are not interested in seeing a bunch of nmap/nessus scans against the game network.

-Provide three reasons your group should host CTF.

1. We have enjoyed playing and observing CTF over the years and would like to give something back to the community.
2. We feel that the perspective we have gained as players will offer us the best opportunity to make a game that agrees to the spirit of CTF, incorporating the best of what we have experienced, with fresh ideas gained from an detailed knowledge of the game that only players could appreciate.
3. We have no commercial interest in the game and are doing this not for personal gain.
4. We don't really want to play a game not hosted by Kenshoto so we thought we might try to running the thing ourselves.

-How do players or teams qualify (if there are qualifications)?

As like the past, the qualification round will consist of a point oriented competition with wide variety of topics and exercising a wide variety of skills. The challenges will take the form of a Jeopardy style board. The nine top scoring teams will be offered spots to CTF. Ties will be broken by the first team to reach the score. Qualifying teams will have two weeks to confirm to CTF. After two weeks, any teams that have not confirmed their intention to participate at Defcon will lose their spot in the game and the next available team as determined by qualifying score will be offered a chance to participate in CTF.

-Is it multi player or single-player, or a combination?

We intend to maintain the team oriented aspect of the game while introducing an individual part to the game as a way to get more interest from Defcon attendees. A prize may be set aside for the winner of the individual competition.

-What innovations or new ideas are you bringing to CTF?

We intend to bring a new scoring system to the game with different visualization for the game activities. Additionally, there may be side challenges designed to mix things up a bit and test the diversity of each teams skills. Unlike recent years, we hope to make teams to defend multiple servers running different operating systems. In order to attract more attendees to the game we hope to make several opportunities for attendees to drop in and play in some way.

-How long will the contest take, will it be 24x7, 8 hour shifts, etc?

26 total hours. 10 hours Friday, 10 hours Saturday, and 6 hours Sunday.

-What technical work is required to execute your plan. This includes setting up environments beforehand, pre-qualification work if any, writing a scoring system, etc.?

Qualifications and the actual CTF competition will each require setup.

Quals will require making questions/challenges and answers as well as communications channels, web pages and score viewing methods.

CTF will require the setup of multiple environments including scoring, display and target services.

-Give an outline of the rules that will be presented to the participants:

Generally we're finding rules to be superficial, as such we don’t intend to enforce many.

Rough outline:
No DoS. Windows is better!
No nmap/nessus scanning (they won't get you anything anyway)
Table limit of 8 enforced
No physical coercion (sheep excepted).

Quals:
We will conduct the qualifications in a similar manner as the previous Kenshoto CTF organizers to choose skilled teams for the purpose of supplying the eventual CTF competition with the most highly skilled players. The quals will include real time chat and multiple challenges with skill requirements similar to the skills required in CTF.

CTF:
All competing teams will be supplied with the same challenges at the same time or have equal opportunity to gain points or make progress. Simple game rules will be supplied in printed or digital form to ease potential language barrier issues.

-Why do you want to do this?

See section “Provide three reasons your group should host CTF.”

-Explain what you believe is the best way to gauge a hacker's abilities, and how your vision of the contest could do this?

Cross between depth of skill and breadth of skill.
Team flexibility
Team diversity
Parallels with either business or national capability
Ability to pick up sheep

CTF has traditionally been oriented around computer network attack and defense. While we recognize that there are many other areas of interest within the hacking community, we feel that many of these areas are well tested by other Defcon contests, and we would like to continue the tradition of Defcon hosting the premiere CTF event. The primary focus of the game will be software exploiting. Some side challenges may use other areas of hacking such as lock picking. Our type of the game would present approximately 15 network based services for each team to attack. Vulnerabilities made into the services would range in difficulty from simple stack overflows to more complex heap overflows and cryptographic challenges.

-Tell us anything else that you think may be important or that we might consider in choosing your group to host CTF.

You know us and our intentions/culture Our priorities lie with the reputation and progress of the game and the conference rather than in the furtherance of commercial interests.

Te amo en la noche,
Te amo en la mañana.
Me largo para que cuando fuera,
Oh ovejas de hacer lo de banana.

CTF submission #2 of 4

APPLICATION:
All contact information will be kept private, and not disclosed outside the DEFCON planning organization.
About you and your group
- Number of people in your organization (that will actively be participating in creating/planning/executing CTF):
8 core folken, 4-8 conscripts

- Experience team members have had in planning events (This could be a bake sale with 500 people, or a DoD briefings for 20 people, something that indicates some planning experience):

DoD Briefings at the Pentagon for 40 people
Teaching and Presenting for major and minor organizations and conferences (25-400 people)
IT project-management at major Fortune500 companies
Project-management of small highly-technical consulting teams
Leading a team to write a document on the hacking of purpose-specific embedded systems (4 month
project).

- Technical ability of team. This would include a general list of people's abilities * networking, hardware, etc and support the idea you can pull this off:

Development of vulnerable code and exploits for in-house uses as well as kenshoto's quals
Hacking and fabricating embedded systems. Backgrounds in telecom, hardware of all sorts, server rapid-deployment and admin, hacking and administration of Virtual Machines, vulnerability/exploit development, network/web/physical penetration testing.

- Physical resources (if any) that you will be bringing to help run CTF such as a disco ball, robots or enigma machines. This to help us plan to accommodate it with the hotel if you require extra power or special fire marshal approval for your Cray 1 cooling towers.:

Virtualization servers
Firewall and Packet-Capture systems
Two core switches, multiple access-switches
Multimedia boxen for crowd-control/distraction
Disco ball and lighting gear (minimal)

- What experience have your team members had in playing CTF in the past. This is not a requirement, but shows real-world knowledge of the game as it has been played in the past.:

Have played every kenshoto-hosted ctf, competing in both individual and teams, some have played since ghetto ran ctf. Others have played at least two years each of kenshoto's wargamez. Our conscripts such have played off and on during kenshoto and ghetto ctf's. We've participated in others such as ictf, and will likely compete in CodeGate's game in Korea this April.

-Explain, in a general manner, your vision of your CTF.

ctf must remain the foremost in hacking leetness, where the world's best of the best convene to prove their prowess. This is done through a solid core of binary reversing/analysis and exploitation. Wrap in some easier scripting- and web-based vulns as well as some excruciating eye-bleeders, and you have a firm foundation for ctf badness. Plus bonus for hardware-hacking challenge and possibly working with Joe Grand to integrate the defcon badge (already begun discussions). Add in the wrappings and fixins of social engineering and mystique provided by XXXXXXXXXX and defcon ctf will continue to rock the world.

- Explain how you hope the attendees will experience it. For example, they sign up on-line, get a secret package in the mail, start blindfolded with an unusual laptop? Are their certain crises points you will introduce during the game to confuse or add to the pressure?

Sign-up will require hacking a web application.

Quals will be a winnable hack-fest based more on Kenshoto's first year, possibly using unique keys for each team. Quals will be more closely tied to the game than in recent years, hopefully allowing the winning team to actually qualify without another team dropping out.

Game-time will be similar in nature to the 'Shotos ctf, with cool mood-lighting, videos and music... we intend to do better visualization of the game itself, however. Some challenges will be withheld and released throughout the weekend. This and other techniques will be used to reduce the value of gargantuan teams.

-Provide three reasons your group should host CTF.

We understand what makes an awesome game.
We value the integrity of the game as a hacker's playground, an outlet and training-ground. Even when pulling our most devious stunts, we stayed in contact with Kenshoto to make sure we wouldn't be hindering their vision for the game. Evil genius is great. Lamin' is not. We already have name-recognition on multiple levels, which will create buzz and keep defcon ctf from the FUD of changing hands.

-How do players or teams qualify (if there are qualifications)?

Hack several vulnerable apps of increasing difficulty. Speed is king. First 6 or 7 teams to complete quals get to come. If we do an individual game, we may take the individuals and throw them into a team. If we don't get eight individuals, we may allow outsiders to walk up and play for their team.... and impromtu team

-Is it multi player or single-player, or a combination?

Team-play, with possibilities of single-player.

-What innovations or new ideas are you bringing to CTF?

We believe kenshoto's game was outstanding! They did so many things right that we plan to include a great deal of what they brought to the table. We will be adding Web-based hacking, multilevel attacks with dependencies, better visualizations, hardware-hacking and the possibilities of individuals and walk-ons.

We've begun discussions with Joe Grand to integrate the defcon badge into the hardware-hacking part of ctf, but this late in the planning, we may have to wait until next year to pull it off. If so, we can fab up 10 boards with chips for this year's competition. XXXXXX has volunteered help in creating and validating vuln-dependencies for improved game-play.

-How long will the contest take, will it be 24x7, 8 hour shifts, etc?

Game-play will be 12-hour days Friday and Saturday, 10-2 on Sunday. We may introduce a forced lunch/dinner where stuff gets shut down at 1/6pm.

-What technical work is required to execute your plan. This includes setting up environments beforehand, prequalification work if any, writing a scoring system, etc.?

Writing vulnerable apps
Writing a Score-bot and individual checks for each service/local app
Writing visualization tools to make the game-play more real to onlookers
Writing GUI (actually it's already been started)
Creating a locked-down image for use by each team
Building virtualization hosts
Putting together the AV-control system and content
Building key-generation code for the hardware widgets
Designing a simple proto board for the microcontroller of our choosing.

-Give an outline of the rules that will be presented to the participants:

No Intentional DoS
No corporal physical attacks (on humans... plushie toys and cats are another story)
Our judgments are law
Each year we will pick a different scenario for the teams' personalities. eg. This year they will be a large multinational corporation whose entire business relies on uptime. For that scenario, service-level will be very important. Next year we may choose for the teams to be a DoD entity where defense is more important and points are more valuable. We may further split the teams up into different scenarios with different scoring in future years.

This year, scores will be 1 point for key-reads, 2 points for key-overwrites, unspecified points for the hardware-keys (significant, we just haven't agreed upon the math yet), and all points will be multiplied by a service-level agreement to force teams to keep their services running for more ultimate pwnage.

-Why do you want to do this?

We wish to host ctf to maintain the integrity and difficulty and fun of the game. ctf has been a life-changing experience for most of us, and we want to be able to provide that for other hackers.

-What hardware resources do you request or need from DEFCON?

Projectors
Power
Marketing

-Explain what you believe is the best way to gauge a hacker's abilities, and how your vision of the contest could do this?

Make them hack. Require they be creative and cross-discipline. Provide them with an outlet for their evil with lower likelihood of jail-time. Shake them up and see how they handle it. Monitor their process through packet-captures.

All this boils down to providing them with a goal and a system of “reality”. Allow them to chew on the system and see how they break the system to achieve the goal. We prefer binary-code attacks and other real-life computer hacking leetness, but have appreciation for creative leveraging of almost all sorts.

-Tell us anything else that you think may be important or that we might consider in choosing your group to host CTF.

If you don't have us host ctf, you're nuts. :)

CTF submission #3 of 4

Over the years the DEFCON CTF has become the ultimate test of hacking ability, separating the script kiddies from the leet. However, with Kenshoto stepping down, the future of binary ninjitsu has become clouded with uncertainty. The incoming hosts will have to simultaneously build on the successes of the past and introduce new challenges to keep the awesomeness of the CTF alive. This will not be a simple task, but we're up for it.

As with past years, our competition focuses on reverse engineering and binary exploitation. While it may be tempting to incorporate components such as hardware hacking, lockpicking and social engineering into our game, DEFCON already provides opportunities to explore and demonstrate prowess in those areas. By keeping our scope limited to RE and exploitation, we ensure that participants have a unique experience that avoids directly competing with any other events. However, just being skilled at reversing will not be sufficient: to defeat our challenges you will need good hackers.

Good hackers are resourceful. No matter what the constraints, good hackers will find a way to use whatever is at their disposal to tackle their current problem. Good hackers are also flexible, able to modify carefully laid plans on the fly as needed. After a baseline level of technical acuity, those traits are what make good hackers. Our CTF requires the teams to use their time and energy carefully, and be capable of changing strategies quickly.

The Qualifier

Since we want the competition at DEFCON to be as strong as possible and there will be limited spots for teams, we will hold an open qualifier in June. Each team will be given a set of five problems and required to solve at least three before we provide them with the next set. Each tier will get progressively more difficult. The problems will vary in terms of format (puzzles, binary analysis, exploit authoring, etc) but will be directly representative of the type of knowledge required for the actual competition. The eight teams with the most problems finished at the end of two days will be qualified. Time since last scoring submission will be used as a tiebreaker.

The Main Event

With respect to game format, our CTF won’t be much different than previous years. Teams will be limited to eight people at their table at a time but not limited in overall size. They will be given a clone of a server running a set of custom services that we’ve authored. Each team will be encouraged to patch their own services while exploiting the other teams’. However that’s where the similarities to previous years end. Instead of FreeBSD, the target OS will be Windows based. This better reflects the attack surface a team would encounter in the wild and mixes the game up for experienced teams.

We will also be using a zero-sum scoring system. Teams will start with a fixed number of points. When they take a flag from another team, they will steal a point from that team. If a team drops to 0 points (teams cannot have negative points), then they cannot be scored against until they get some points. This places a stronger focus on defense than in years past.

Teams will have to be careful about firing exploits for services they haven't patched because their gain from firing will be eliminated if the other teams capture and re-fire against them. As the teams start scoring against each other, strategies will evolve due to the zero-sum nature of the game. Teams that are targeted often will be under pressure to regain points, while teams that break away will become very attractive targets to everyone else and be pressured to defend their points more. We realize that this scoring scheme may require serious tuning, so we plan to have exact numbers simulated and determined as soon as possible.

Another new addition to the game will be “Lightning Rounds.” Every few hours, we will take a team member from each table, and move them away from the core game onto a side challenge. The challenges will be weighted such that the Lightning Rounds are worth competing in, but involve some risk since whoever is working the challenge can’t be at the main table. While team members are working on the Lightning Round, they cannot be replaced at the table. Scoring will be weighted based on the order of completion. Teams will have to gamble the value of winning the Lightning Rounds versus the time they’ll lose working on services.

Special consideration has also been given to how our game is viewed as well. We'll be rendering the results of the game in real time using team avatars in a unique visual environment. There will be multiple projectors displaying different perspectives in the game world. This should attract more attention to the CTF room, providing spectators with entertaining feedback on the competitor’s performance.

Optionally, we may introduce a handful of unannounced services at the start of the second day of competition. These services would not be configured, and the teams would have a finite amount of time to get them up before the service polls began. Teams would have to divide their work efforts on the material from the first day, reversing the second day material, and setting up the second day services. The goal would be to introduce some chaos into the game, not burden the teams with an I.T. challenge. Ultimately, this challenge will require the teams to be flexible with their strategy, but will not be so arbitrary that the game becomes unplayable.

In terms of rules, we want as few as possible. Part of the fun of the game will be seeing how creative the teams get with their challenges, and we do not want complicated rules interfering with that. We’ll be monitoring the game closely and work to preempt anything that seems game-breaking. For the moment, we’ve determined the follow rules to be sufficient:

1. Don’t break the network.
2. Don’t break the scoring server.
3. Don’t make the game unplayable for the other teams.

Ultimately, we see our CTF as a hacker stress test. Teams will set up one hour before the doors open on the 31st and play straight through to the evening of the 2nd. Over the ~55 hours of competition, the teams will be pushed past their breaking point and then be required to keep going.

Who We Are

We're ten talented, organized, and, most importantly, evil individuals. Between us we have significant experience with running large events. We've planned and executed successful local and regional XXXXXXXXXXX Contests, hosted the 2007 XXXXXXXXXXX, prepared and taught technical and university-level classes, and coordinated network migrations that affected hundreds of people. We've also authored several technical books.

Our respective skillsets include network engineering, software development in a plethora of languages, and reverse engineering. Our team members have written custom debuggers, developed solutions for full-system emulation of multiple architectures, and written custom game engines. We've also created and circumvented software protection mechanisms, and spent a good amount of time doing vulnerability research and exploit development. Not all of our members have participated in a CTF before, but those with experience have participated in the following:

XXXXXXXXXXX CTF 2003, 2005, 2006, 2007, 2008
XXXXXXXXXXX 2, 3, 4
XXXXXXXXXXX Qualifiers 2006, 2007, 2008
XXXXXXXXXXX 2006
XXXXXXXXXXX 2007, 2008
XXXXXXXXXXX CTF
XXXXXXXXXXX CTF 2007

Originally we'd intended to compete, but when the call went out for a host we switched gears completely. Being relative unknowns to the DEFCON community but regarded well by other similar groups, we've got a strong incentive to prove ourselves. Hosting allows us to bring new ideas to the table and create a CTF that stays true to the spirit of DEFCON while shaking things up in a way both veteran and new teams can enjoy.

CTF submission #4 of 4

- Number of people in your organization (that will actively be participating in creating/planning/executing CTF):

There will be approximately 8-20+ people working to design, engineer and present the Capture the Flag event at DefCon. Only the required personnel to ensure the successful execution of the CTF event will be present at the convention (including necessary support personnel).

- Physical resources (if any) that you will be bringing to help run CTF such as a disco ball, robots or enigma machines. This to help us plan to accommodate it with the hotel if you require extra power or special fire marshal approval for your Cray 1 cooling towers.:

TBD, large visual displays have been suggested, depending on the physical restrictions of the room. Also, external displays.

A large mobile rack/cage with gear.

- What experience have your team members had in playing CTF in the past. This is not a requirement, but shows real-world knowledge of the game as it has been played in the past.:

XXXXXXXXXX is a 3 time winner of the CTF competition.


- Explain you vision for CTF, Explain, in a general manner, your vision of your CTF.

Background:

On a planet far from Earth, several countries of various culture, ethnicity and creed have one thing in common. Each of these nations use a very powerful network that was created, and managed by a world-wide organization. The idea that this organization even exists is myth.

Believed by many conspiracy theorists, this organization controls most of the public press, various levels of some countries' governments and the flow of information over the world-wide networks that connect the populations.

Knowledge of this organization's motives is limited at best. Few people speak about it and those that do are ignored or even criticized by the citizens of the world, as paranoid or even insane. Governments do not acknowledge its existence, each representing their own countries networks as if they were controlled by the government itself. The quick response and information sharing between the governments when cyber-attacks occur is the only clue that there could be some larger force at work.

Directly targetted cyber-attacks have all but dissapeared. The media has credited this to a new type of technology in use on the global networks, yet is merely advertised by the service providers as end-user security.

Proof of this technologies value came quickly. It was widely covered in the global media how some method was used to determine physical locations of cyber-criminals so quickly that law enforcement could catch them almost immediately and red-handed. As more and more criminals were caught, this new type of reponse, powered by some mystery of a technology, left even the most brazen criminals returning to older methods of criminal activity and leaving the global networks alone.

Yet in a world of big business and electronic mediums there are areas of influence that no organization, despite it's power or size, will ever be able to control.

Quickly it became obvious that the only method of cyber-warfare that removed the retaliation of physical discovery, or at least delayed it, was in outer-space.

Today:

Cyber-warfare has since moved to focus on point-to-point wireless communication methods. Each exploit found and publicized fuels the conspiracies of supply chain sabotage.

Someone sits down to a public terminal and logs into a forum. Moments later a vulnerability appears on the underground networks that allows control of a specific type of satellite. Around a world, global actors look on. Each unaware of the role they are about to take in a global play. They look on, with a single thought crossing each of their minds.

Controlling a satellite would remove the threat of physical response. They would have time, not much, but perhaps enough, to dig deep enough into the networks and find the truth... but what truth?

The Capture the Flag Challenge

1. Do you have what it takes to join us at the DefCon convention to play Capture the Flag?

2. Do you want to test your abilities against top security professionals from around the world?

then it's time to Pre-Qualify.

7 teams will be selecte to join us at DefCon 2009.

1 surprise team will be selected at DefCon before the beginning of the games.

And if you aren't chosen you can always come play in the Swamp, because anyone is allowed to play, you just won't have a formal team spot.

- Explain how you hope the attendees will experience it. For example, they sign up on-line, get a secret package in the mail, start blindfolded with an unusual laptop? Are their certain crises points you will introduce during the game to confuse or add to the pressure?

Introduction:
Each team will connect to an environment provided to them by the CTF management organization. Teams will be responsible for defending their own environment while attacking others. Some attacks upon the CTF network or central services will be allowed. Each team’s environment will contain various operating systems, simulated network devices and applications. Various upstream and downstream dependencies will exist, with SLA requirements, thus making each teams environment a part of the whole CTF network.

The teams will be provided with real working examples of multi-system deployments with large enough server/content/application sizes to create the perception of large automated environments. Examples of subsystems would be Transaction and Batch Processing, SMTP (Email), DNP3 (power control), CA (certificates) and many other services.

CTF Network, The Green Zone:
Part of the CTF network is the green zone, this subnet will be clearly marked. Any attack on this network will result in the global organization detecting your physical location which results in your team's immediate change in status to disqualified. This simulates the reality that there are some places you just should not attack or even scan. All point scoring systems are located within the green zone.

CTF Network, The Red Zone:
Part of the CTF network is the Red Zone. This subnet will be clearly marked. Supporting the global organization, this area is where key business processing occurs for various services that each team has an assigned SLA. Exploitation and flagging of this area is allowed and may provide access to services and information that affect all teams.

CTF Run Attacks:
The CTF management organization will work with teams during various situations to provide them the opportunity to social engineer each other through the use of team pre-selected proxies. The identity of each team's pre-selected proxy for social engineering is considered Top Secret!

Country Flags:
Each team's environment will contain a set of specific flags that are used in general scoring but also represent specific strategic value, so each team which is represented as a fictitious country will have a set of stats, much like a common video game.

• Government
• Energy/Power
• Financial
• Transportation
• Monuments and Icons

These special flags represent control of various areas of the team's entity. Losing a flag yields standard flag points (as does any other flag) to the remote team, but these specific flags present basic downsides to the team that loses the flag.

The loss of a country flag will cause something else to occur. For example, Team A takes the Energy flag from Team B, Team B's Application IDS sensor now delays, or perhaps even drops 10% of the events instead of reporting them to the Team B's blue team personnel.

Another example would be when one team has captured N amount of flags from a specific other team or N flags of the same type from any team, they would be awarded bonus intelligence data. This intelligence data will be provided for a set period of time, The bonus intelligence can be used immediately or saved to be strategically used later in the competition.

This area of the CTF will demonstrate the downsides to losing specific flags modeled after real-life situations. The risk versus reward demonstrate a real impact of losing specific flags.

Hotel Cube:
The hotel cube is a special insider attack that can be used by any team at any time. Each team can only perform this attack for a given amount of time.

One person, selected by the team will be given access to the CTF network which will have basic backend traffic between all environments, and possibly very sensitive services that are not directly accessible from any other location.

The team member is only allowed to use a laptop. No other devices will be allowed while this attack is being performed, including cell phones or other communication devices.

The team member will have exactly 15 minutes of total access to the backend network. If the team member decides to stop then the balance of time remainding will be reserved for that team at a later time.

No communication is allowed between anyone other than CTF staff and the person executing the attack on behalf of their team, while the attack is taking place. Violation of this rule will result in immediate disqualification of the individual and the team will lose all remainding hotel cube time.

A team can decide to use 5 minutes of time with one team member to obtain information, then stop and come back another time with a different team member. However, since it is first come first serve one cannot be sure when they may get access to this physical location.

Access to this location is provided on a first come first serve basis.

This simulates a real insider attack and should be integrated into a team's long-term strategy. Time used will be rounded up to the nearest minute. Access will be terminated by physical removal of the network drop from the team member's laptop.


The Cafe Shop Network Drop:
Allows external scanning from a team to their own environment. This spot is ideally useful to review the teams own external attack surface. Each team will have this capability. However, only one team member is allowed to use this network drop at any one time for each team. This simulates your team's rogue agent that is between networks and external to your environment. There could be other information about the environment that can only be accessed via this network drop.

Throwing down the Gauntlet:
Using public press release which is an allowed action every 2 hours or so. A team
can perform a public annoucement that is propagated by the CTF organization. This press release can contain any message or data from the CTF team to the public. However, the result, if any desired result at all in response to the announcement has to be defined by the team performing the announcement to gain points. This allows for information warfare through the public media. If a desired result is stated then the result has to occur within 1 hour or the team is punished for failing to succeed in a planned information warfare attack.

Infrastructure Attacks (E.g. Power Off):
Various services may represent areas of the team's infrastructure. An example of this is turning of their power grid. Should your team be capable of such a feat, it would reset the target teams time-based multipler (See Scoring) to .90 regardless of any bonuses that team may have. Such tactical attacks may make the difference in the outcome of the competition. Not just performing such an attack, but knowing when to do it.

Network Traffic:
Automation and fake traffic will exist on the CTF network and use the environments from
the teams. The team environments will be required to have various services remain open for the duration of the engagement. The team can disable these services at a point loss as defense by air-gap is not real-world scenario for Service Level Agreement (SLA) services.

CERT:
The first team that reports a finding gets a minor boost in their time-base point multiplier. CERT notifies everyone else via
a message that a vulnerability exists yet the details of exact exploitation will not be propagated. It will require strategy for teams to consider when reporting vulnerabilities to CERT for extra points is a benefit as opposed to keeping it silent. This introduces having an ethical dilemma vs. maintaining a tactical offensive advantage.

C2 Console:
Each team will have a Command and Control console by which communication between the CTF management organization will be performed. Each team will receive real time application intrusion detection events when other teams are attacking specific applications or areas of applications within the target teams environment.

Email:
Each team will have an email system within their environment by which real and fake email will be received. One can never know what might show up here or how it can be used to attack your opponents.

Under The Radar:
It is not possible for the scoring system to really know who puts what flags where. As such, this is a known vulnerability in the scoring system. Instead of making a work around, it seems absolutely feasible to make this a part of the game dynamics. (See Scoring)

Since sets of flags your team controls will incur a bonus, a team may want to replace a set of flags with opponents flags in attempt to gain the bonus again by "re-flaging". The scoring system will not add the same bonus for a team while that same bonus is in effect. Reflaging requires the following actions.

1) You control a set of flags and get a bonus
2) A while later your bonus has returned to a standard 1.0
3) Your team has to lose all of the flags needed for that bonus to qualify for the bonus a second time
4) Since you have the exploit you replace your flags with other teams flags (or just garbage)
5) You wait until you think the scoring system has noticed that you do not have control anymore
6) Your team re-flags all of the other teams again and gets the bonus again.

This is a real-life example of repeatedly insulting the intelligence of the other teams intrusion detection team by repeatedly hacking them over and over using the same exploit.

If you perform this type of attack up to five times, the CTF management team may award you with an undisclosed bonus. Understand that doing this without getting detected by another team not to mention reverse engineering enough of the scoring system to ensure success will obtain you significant status.

- Provide three reasons your group should host CTF.

Experience playing CTF and understanding of what makes it fun.
We have an awesome idea that will be fun to create, run and we are sure the players and observers will enjoy it.

We can provide the DEFCON convention with fresh perspectives on entertaining CTF game play while also providing examples of real cyber-security and cyber warfare context that will challenge the most talented red/blue teams.

We rock and have tons of enterprise class security experience to add depth to the game and are highly motivated to make this successful and fun.

- How do players or teams qualify (if there are qualifications)?

XXXXXXXX will provide an Internet based scavenger hunt that includes various tasks and challenges such as reverse engineering, problem solving and network packet analysis. Clues obtained from various challenges can be pieced together to obtain and solve the final challenge. Team selection will be based on efficiency and results of this pre-qualification period by a panel of judges from our organization.

- Is it multi player or single-player, or a combination?

Up to 8 Team Slots ( 7 pre-selected, 1 on-the-spot) + Swamp (for lone gunmen)

The CTF pre-qualification process is for teams. The CTF event will have a ‘swamp’ where solo gunmen can participate without prequalification. There will be 1 addition spot for a team that will be selected at the beginning of event at the convention.

Teams that want to fill the on-the-spot addition will fill out a “Why should you be accepted?” essay and the selection will be announced the morning of the CTF competition. The winning team of the “on-the-spot” selection must be present with at least 4 members to participate. The 4 members must be pre-designated in the essay.

- What innovations or new ideas are you bringing to CTF?

We are bringing:

applications that utilize application IDS and intelligence reporting.
an environment for each team where logical components and automated processes will simulate various infrastructures of their fictitious country and provide real risk vs. reward decisions to be made
entertaining and engaging command and control interface used to display scoring and events to on-lookers.

simulated C2 (command and control) system for visualization and intelligence feeds (of which a part each team will have a data feed from the CTF organizers)

An onlooker interaction kiosk that will allow for periodically selecting which team will be ahead at various intervals during the competition as well as an onlooker “challenge” questionnaire. Both of which will allow for entry into a drawing at specific intervals throughout the competition for prizes. The data from this interactive system will then be used as part of the master display to show which team the onlookers are betting will be ahead during any specific interval.

- How long will the contest take, will it be 24x7, 8 hour shifts, etc?

12 hour shifts, 10am to 10pm for each day of the convention.

- What technical work is required to execute your plan. This includes setting up environments beforehand, pre-qualification work if any, writing a scoring system, etc.?

Creating a team environment
Creating custom backbone simulated environment
Developing the scoring mechanism
Integrating the C2 interfaces/scoring systems
Development of the Onlooker Kiosk and Questionnaires

Give an outline of the rules that will be presented to the participants:

CTF Participation:
Any team, team member, by proxy or directly interacting with the CTF network acknowledges that they are a willing participant of the CTF games. Their laptops, cellular phones or any other devices used or brought with them into the CTF designated area are knowingly allowed to be targets of cyber attack, and as a participant you give full permission to any other CTF participants to attempt to gain access to the data on devices you bring into the CTF designated area.

What participants should NOT do:
Do not bring devices that contain data that is sensitive, including PII, PHI, FOUO, etc. Do not bring devices that contain proprietary data. Do not bring devices that have the same passwords or login credentials as your home, work or other personal websites. Do not try to access your work or home or personal websites from the CTF network. We will be recording all traffic and do not want your work TELNET passwords in our databases.

Subjectability:
Interpretation of the applicability of any rules is solely at the discretion of the CTF management organization. The result of any violation can be removal from the CTF event, removal from DefCon, or being banned from DefCon permanently.

Denial of Service:
Denial of Service on infrastructure of any type is banned, physical or logical.
Physically interacting with the CTF infrastructure or other teams infrastructure will result in removal of person from the CTF game and optionally removal from DefCon.

If a team desires to perform specific attacks that "may" cause a denial of Service then communications from the team to CTF management organization is required to obtain permission. If a denial of service does occur then subjectively the impact will determine the punishment.

Physical Security:
Physically wandering into another teams area will result in disqualification. The simulation of this cyber warfare scenario asserts that each team is hidden and their physical location is unknown. Any physical attacks against another team are considered illegal and violation of the intent of these games.

Overt and Covert Social Engineering:
Communication between teams should be kept to a minimum within the CTF designated area, though we expect your teams to taunt each other, we do not want to digress to immature shouting matches. The simulation is based on the fact that you do not know nor can actually see the other teams. However, overt or covert communication outside the designated CTF arena are considered outside the scope of CTF organization management purvue, and we suggest you get information any way you can imagine within the rules.

Preparation:
Each team will have 30 minutes where by access will be provided to your environment before the environment is connected to the CTF network. At the end of the preparation window, the first scoring will be performed.

Network Discovery:
Creating or generating unecessary or repeated scans or other discovery will result in demerits. Specific windows will be communicated in various ways by the CTF organization management when and how network discovery is allowed. This simulates the reality that you cannot have a full group of people spamming the network with NMAP and SNMP without getting caught.

Audio/Video Surveillance:
No audio recording, bugging or directional microphones, video camcorders or video phones are allowed to be used by any team within the designated CTF game arena; including any other method to perform audio or video surveillance of CTF staff or any other persons within the designated game area, of any kind. Violating this rule will result in the entire team being disqualified and removed from the DefCon convention.

Pictures/Sampling:
Still photos or audio sampling are allowed as long as the frequency and attitude of the recording is not construed by the CTF management organization as time-delayed interval-based surveillance.

Teams and the Swamp:
Teams cannot access the CTF from the Swamp or have an agent of their team work from the Swamp. Any agent of a team, overt or covert that is detected within the swamp will be disqualified and the team will suffer demerits. If a team determines that they want to pickup an agent from the swamp, then consult CTF staff and they can be moved to the team's physical area. Remember you have limited physical space.

Physical Space/Power:
Each team will be limited to a specific amount of physical space and power. If you can fit 12 people into your space, so be it. However, don't bring 10 racks of equipment because you aren't pluggin them into our power supply. A typical two laptops or one laptop/one desktop per team member is the maximum allowed. If you bring more demanding hardware, we will make a judgement call on-site, and it will most likely be a resounding negative. No you cannot run a power generator within the CTF designated area. We expect 8 people with 2 laptops each can comfortably sit in each CTF team area.

Physical Resources:
We will provide tables and chairs, 1 power drop and 1 network drop. Each team will be required to bring their own physical equipment to distribute power or connectivity within their team's physical space.

Wireless/Wired Extensions:
Teams are not allowed to run wireless or wired devices that allow any external entity, person or deivce, to connect to the team's network.

Outsourcing:
Outsourcing is an understood necessity of the games. If your team needs to bruce force a hash or perform other analysis you can absolutely send it to whomever you want. We want you to take advantage of your leet rainbow table setup in your garage at home. You must use a method of communication that does not violate any of the other CTF rules (such as bridging networks).

Cellular Phones:
The use of cellular phones within the CTF designated area has been approved so long as the use of the phone does not violate any of the other CTF rules.

Bridging Networks:
The bridging of any networks via any wireless or wired method to your physical area and the CTF network is not allowed.Internet access via the CTF network will not be provided. Internet access via the DefCon network will be provided. We suggest setting up a tunnel ahead of time so that any research you perform isn't noticed by nefarious wifi sniffing.

Scoring Points:
Teams will score points by maintaining control of flags. A flag is a set of bytes that can be located anywhere, within any service or data stream or data object.

The location or composition of flags will not be communicated to any of the teams. It is up to the teams to determine where the flags are and how to defend or attack them.

Various clues will be scattered through-out the environments for some flags, some will require common sense, and some will require a massive amount of blue-team and red-team expertise.

At no time will a team's score lose points. Points can only be added to the score. X is the total amount of points added to the team's score during the scoring period.

X = (( Team Flags + Other Team Flags + Red Zone Flags ) * SLA Percentage ) * Time-Based Multiplier )

SLA Percentage = Number of services open divided by number of services under SLA.

If 10 are open, and 12 are required, then the SLA is 0.83.

Time-Based Multiplier = 1.0000 by default. This multiplier may be incremented by doing cool things or decremented as punishment for violating rules. This can also be reduced from it's current amount for a team if another team successfully performs specific attacks against them. The multiplier has a time limit when it is >1. As such each bonus addition to the multiplier adds

For example, if there are 10 flags. Suppose team A has defending all 10 of their own and has control of 3 flags (1 from 3 other teams). This team has all of their required SLA services open, so the SLA percentage is 100%.

X = (( 10 + 3 + 0 ) * 100% (or 1.0) ) * 1.00

X = (( 13 * 1.0 ) * 1.00 )

X = 13

The team would add 13 to their current score.

Now imagine that the team doesn't have all their services open as required.

Suppose 10 services are open, and 12 are required, then the SLA is 0.83.

X = (( 10 + 3 + 0 ) * 83% (or .83) ) * 1.00

X = (( 13 * 0.83 ) * 1.00 )

X = 10.79

The team would add 10.79 to their current score. Obviously keeping those SLA services open is key to ensuring a good score. However, lets look at a different type of perspective on strategy.

Suppose your team finds a flaw in a service and desires to fix it. Your team exploits it and flags all other teams. We'll use the same number of services as the previous example, 12. You have to drop the service to fix it, or perhaps you just want to keep it down until you have it fixed. We'll assume this is the only service down.

Since the service is offline, your SLA will be 11 / 12. Since that one service is down, IF there is a flag associated (in this case there is) then the scoring system can't know who owns it, so you don't get a point for it, but no one else does either.

So the total flags your team owns is 11, yet your SLA is 91%.
For this example let's supposed there are 7 other teams, and you have control of this flag on their systems for this service.

X = (( 11 + 7 + 0 ) * 91% (or .91) ) * 1.00

X = (( 18 * 0.91 ) * 1.00 )

X = 16.38

Understanding the Time-Based Multiplier:
Suppose Team A gains control of the same flag for a number of teams, or even across all opponent teams. This may provide to them a bonus depending on which flag it is. In this case let's suppose that the bonus for this flag is 0.1.

The time-based multiplier is then incremented to 1.1. This will last for multiple scoring periods. So the previous example becomes:

Are these 7 flags the same location for these teams? If yes, 1.00 + 0.1.

X = (( 11 + 7 + 0 ) * 91% (or .91) ) * 1.10

X = (( 18 * 0.91 ) * 1.10 )

X = 18.01

The next scoring period the bonus is not added again, if previously added. so assume that Team A loses 1 flag before the next scoring is done, yet they fixed their own service for the previous exploit so their SLA is back to 100%. So even though they lost one flag, they still own 11 on their own system.

X = (( 11 + 7 + 0 ) * 100% (or 1.00) ) * 1.10

X = (( 18 * 100 ) * 1.10 )

X = 19.8

Looks like Team A is getting some good scoring here.

Keeping the Momentum, Using the Time-Based Multiplier:
The bonus as shown above by which all points are multiplied by 1.1 demonstrates momentum and brilliance for a given team. If Team A can do something else to obtain a bonus before the Time-Based Multiplier is returned to 1.00(remember it only lasts so long) then the next addition will compound on the original multiplier.

Suppose Team A finds another exploit but can only flag 2 other teams and then realize they are about to lose their bonus. The number of controlled flags increases to 9. Given that Team A can't get a bonus for just those 2 flags, they decide to report the vulnerability to CERT and take advantage of the bonus aggregation applied to the other flags that they currently control.

If they do this before their time-based multiplier wears off...

Assuming they are the first time to notify CERT, then for example, the CERT bonus is added on top of the current scoring multipler for the NEXT scoring period PLUS the duration of the bonus is reset.

Multiplier = 1.10 + CERT Bonus 0.05

X = (( 11 + 9 + 0 ) * 100% (or 1.00) ) * 1.15

X = (( 20 * 100 ) * 1.15 )

X = 23

Now lets imagine that Team A had chosen not to report this to CERT. The time-based multiplier was going to reset.

X = (( 11 + 9 + 0 ) * 100% (or 1.00) ) * 1.00

X = (( 20 * 100 ) * 1.00 )

X = 20

However, sure the number of points is less if they don't report to CERT in this situation, but they still are holding the exploit and will continue to attack other teams who may not know that it is there.

Also, one should not stop trying an exploit just because CERT has sent out an announcement to the other teams. They may not even be watching their C2 systems notifications.

Various bonuses will be present throughout the cyber warfare scenario. Each of the bonuses represents a tactical advantage or level of control that one team has over one or more of the other opponents.

For this example, all scores were rounded down to the nearest 2 decimals regardless of following decimals. The final scoring system will probably round up to the nearest 2 decimals meaning 0.833 will be interpreted as .83 and 0.835 will be interpreted as 0.84.

The scoring system will not perform specific scoring on a timely basis. A team cannot disable their services between scoring by the CTF network in attempt to thwart attacks.

- Why do you want to do this?

XXXXXXXXXXX wants to make the CTF event the most entertaining CTF event ever, while creating realistic situations where teams have to prioritize their strategies to maximize their combined strengths in offensive and defensive tactics to include; Intel, Counter-Intel, and Misinformation.

The presentation of in-game events, score keeping, onlooker polls, and the outcomes of tactical decisions by teams will be displayed using a Command and Control system that provides onlookers with a near real-time analysis of events and team progress.

XXXXXXXXXXX will utilize the special additions to game play and presentation to provide direct interaction with the CTF event, while keeping onlookers outside the direct participation of the on-going scenario.

- What hardware resources do you request or need from DEFCON?

Unknown

-Explain what you believe is the best way to gauge a hacker's abilities, and how your vision of the contest could do this?

Providing real defense and offensive situations require teams to do strategic planning and tactical positioning. The resulting winner of the competition will undoubtedly be the most cunning and skilled team. Gauging skills is much more than just technical skill, it’s strategic thinking, plotting and executing. Mental fortitude and discipline is necessary to execute and win an undertaking such as CTF.

-Tell us anything else that you think may be important or that we might consider in choosing your group to host CTF.

We want this to rock, all around and be an experience that people will talk about - want to win and will come back again. We plan on staging two test runs previous to launch to ensure game play is seamless.

Feedback

This is from someone who emailed me directly with feedback. I thought I would post it here to help start a discussion.

------------------

Submission #3:
> Over the years the DEFCON CTF has become the ultimate test of hacking
> ability, separating the script kiddies from the leet.

Many will agree that CTF@DEFCON is a [if not the] top competitive hacking event, reserved for some of the most talented hackers in the world. Top competitive events (World Cup, Olympics, WRC, ICPC, etc.) typically attend to the highest expression of their particular
discipline: the most difficult goal[s] to achieve, regardless of how esoteric. There is no real-world useful application of speed skating, pole vaulting, or driving 170+kph on donkey trails, yet they are done regularly for those very competitions.

> However that's where the similarities to previous years end. Instead
> of FreeBSD, the target OS will be Windows based. This better reflects
> the attack surface a team would encounter in the wild and mixes the
> game up for experienced teams.

If the OS of choice for past years is regarded as a tough nut to crack, why should that be dropped for an OS that is more popular but generally perceived as easier to compromise? Isn't that dropping the calibre of the game? Other than making it easier for some competitors and a choice of principle for those who elect to avoid non-libre software, how is it expected that this will improve the game?

Re: Feedback

The OS isn't what's being attacked. None of the heavy features of FreeBSD that make it so secure were being exercised. Yes, a team could throw an 0-day and win a Windows based game, but those chances are around in every game, regardless of platform...nothing is secure. The fact is that custom services are the target, and as such, the difficulty of the game remains the same. The transition to Windows would make it harder for teams who have competed in the past and already have a library of shellcode/tools for the POSIX exploitation stuff.


Really? That seems like such an opaque mess. It could take several hours after the event for a team to actually know how they did. And the algorithm for scores seems so complicated that teams have no choice but to trust you. If some piece of infrastructure went down, or something was mis-counted, it seems like it could easily be swept under the rug and hidden in the magic formulas so you could save face.

All of the sub-components of the game also make it seem like it might be trying to do too much for a first year. I'm wondering if game quality would be diminished by that.

Also, I wasn't aware contest organizers had the permission to ban people from Defcon...

Re: CTF Submissions - There can be only one!

I like the ideas of:
Better game visualization
Crowd participation
Theming.

Re: Feedback

Concur. However, as this is a CTF competition, the OS is part of the free-for-all, is it not?

Concur. Interesting if a competent dis-interested party back-checked the math?

Concur.

I wasn't either. Just from their particular contest. I was under the impression that any violations were escalated to the DefCon organizer core group and that they made the ban/no ban from Defcon decision. Perhaps someone will elaborate.

Regards,

valkyrie
________________________________________________
sapere aude

Re: CTF Submissions - There can be only one!

I have other thoughts on some of the other proposals, but after reading this:

They should be reject just for proposing that. Isn't it kind of a "show-stopper"?

Re: Feedback

I read that as a comment related to DoS and breaking rules of the contest which were also either illegal or actions that could also get a person kicked out of Defcon.

For example, if a link for CTF was rented from an ISP for international teams not at Defcon to compete, and one of the players or teams at Defcon was caught attempting a DoS on the link or ISP that was providing the link, that they might find themselves in boiling kettle with native chanting something about, "human -- the other, *other* white met."

Another? A person tries to gain physical access by brute force and an altercation results.

Of course, these are justs guesses as I'm not running the CTF and can't (yet) read other people's minds. Besides, writing to other people's minds would be far more interesting. ]:>

It would be better for them to be clear on their statement, as it there is a suggestion that they would have authority to do what is claimed without the explicit notice that the reason for being banned from Defcon wouldn't primarily be contest rule violations, but instead be laws or something that would cause someone to be banned from Defcon.

I've not had time to review all of these for feedback, but if I do get time, I will provide my thoughts on the above.

Re: Feedback

Those who do illegal actions should be accountable. Is it the responsibility of the contest organizers to determine how to handle additional accountability, other than the offender kicked to curb for their violation? No. To report it? Yes. The decision? That belongs to the DefCon organizers. Why? Because they have laid their butts on the line for a whole bunch of people who may or may not grok it and they are the ones who ultimately have to deal with all the fall out of anyone's naughtiness.

Don't over think this, mk?

I do think that was addressed by all 4 submissions. Naughty in the CTF area proper, not naughty outside. All CTF participants should be forewarned and forearmed against SE attacks.

I have read the submissions. Now, I am not so smart. So, school me, eh?

Regards,

valkyrie
__________________________________
sapere aude

Re: Feedback

There is no over-thought -- there is consideration of what is possible based on the description. Comprehension and understanding combined with learning are part of being human. Is the ability to imagine what might be, part of innovation? If so, then what happens when imagination is used to guess at the intended meaning of content?

There is no over-thought. There is reflection and consideration of what might be.There is question, and hypothesis. There is test and evaluation. Now we wait for results.

You've actually read them, but I've not. I read only the segment about banning people from Defcon. Active reading of each submission takes a lot of time.

I am not a teacher. I'm the pointy haired boss from Dilbert. For an education, seek out CatBert the Evil HR director or his minions, as they have a great deal of experience for anyone seeking wisdom.

Re: Feedback

Don't you think that the nearly 5 month lead up time would be enough for any team to collect/build a library of windows shellcode?

I think the problem with Windows is that it makes it impossible (or nearly so) for the organizers to release any game images after the con because of its proprietary nature. One of the things I would like to see in the proposals is some sort of commitment to release contest materials after the con so that those of us that don't get a chance to play can get a feel for what the game is like. I know that some teams have posted materials in the past but it would be nice to see the organizers take a more active role. I think that packet captures were released after one ctf, but I haven't seen that happen in years.

-ZR

Re: Feedback

Unfortunately, yes. However, EVERYBODY has the same chance. A new team is on the same playing field as a team who hasn't played.

One thing that everybody picking on the Windows side of the game is missing is that with Windows comes new types of services. Windows brings COM and MS-RPC style services to the table.

Uhhh...why would the organizers need to release the game image? A snapshot of the binaries would be more than enough...and would not be encumbered by any licenses. It would also have the benefit of being a few megs instead of a few gigs. That of course assumes that the organizers want to release that stuff. I can't speak for any of the potential organizers, though.