Not much feedback on the above idea...

After reading this post (originally in New Ideas) I started thinking about ways that a crypto contest could be dones at DefCon, but have not come up with ideas on how it could really work over just 3 days. The idea of a crypto contest which lasts a year, where people submit one cryptographic system each, and then spend the reast of the year trying to break each other's ciphers sounds like a good idea, but this has been done elsewhere.

Another idea... create a network of 5 to 10 machines running different OS with common services on a private network (not part of the Internet.) and let people infect the machines with worms (or a worm with a virus as a payload) over the network Scoring could be based on number of machine infected, and/or number of files infected... (Perhaps this is too much like CTF.)
This would be a lot of work:
An antivirus scanner would need to have fingerprints for submissions provided and be able to differentiate between known/wild and unreleased. Also, the newtork of dissimilar OS machines would need to be built and scanned. DoS should lead to loss of points too, and it could be difficult to assign blame.

Codebreaking Contest

We could have a code breaking contest, with teams of 5. Maybe not something as big as hash encryption but, we could start with simple stuff like ceasars box and work your way to harder stuff. Team with most points wins.

oops, sorry, should of read TheCotMan's post first. He already posted this idea :(

This is (http://www.jasonfrazier.com/gamecode/gameentry.htm) a fun crypto game that easy could be converted to be played over tree days. Each day has a cut off for the next stage. The first solving stage tree the third day wins.

I've been to cons where you are given an encrypted message to break over the course of the weekend. It was pretty fun.

If you want to set up some kind of code game I suggest talking to Elonka. I'm sure she'd have some ideas.

I had thought of a couple of 'cipher' games (not really crypto) that would be fun. One I had actually conceived of for the forums but never mentioned, another was an idea for DC this year that was summarily shot down.

The forums game (which could easily be played at DEF CON as well) was pretty simple. Someone starts a thread with a text message derived using a homegrown cipher (i.e. not rot13 or a derivative, but something you conceived of yourself). The first person to 'crack the code' would then create their own cipher and post a message using it and so forth.

I thought it sounded like fun, and the two or three people I mentioned it to seemed to think it was a decent idea, but for some reason I never brought it to fruition. If people are interested in this type of thing let me know and maybe I'll bring it to bear.

The other idea was to set a WPA-PSK Access Point up at DEF CON. The passphrase would be 104 characters long. The 'phrase' would be printed in the DC Program. For instance, (shortened for demo's sake here) if the Program listed the passphrase as 'Chris Rules' then you have a ton of possible PSKs:

Chr1s Rul3s
chr1s rul3s
chr1s Rul3s
chris rul3s

and so on. I was curious if we used a 104 char psk and gave 5000 people 72 hours, would they be able to crack it? My thought was that it couldn't be done (which is basically the reason that the contest was shot down).

Does anyone else think that either of those sound like fun? Or am I just on crack?

I am bad as can.

I like them both. The first could be a fun thread.

As to the second game, I'm just not sure how many of the 5000 would play. It would probably depend on the prize. Secondly, if the phrase was in the program, would it be possible to brute force it if someone had the text in a file?

Yes. that's the only way it could be done. As for how may would participate...I would assume less than 100 would work on it.

Now...to brute forcing. You would basically have to take all of the possible characters and then write something to 'test' each possible permutation. For instance, there is nothing that says 'C' has to be 'C' It could be C, c, or <. So, assuming that there are 40 possible characters in the PSK (not all of the alphabet, let's say 20 letters, 0-9, and 12 special character possibilities) you run into a serious problem with a passphrase that big. Don't forget, even if you 'figure out' the correct characters, you still have to figure out the correct spacing and punctuation.

I would love to be proven wrong on this, it may well be possible, but I just don't think it would happen in the 3 days of DEF CON. I had considered testing this myself at a couple of the conferences I have spoken at this year. Basically telling people the PSK during my presentation and setting the AP in my room and letting people go to town...but I never did it.

The crypto/cipher game could be fun, but there would need to be requirements if the algorithm was not published with the ciphered text, otherwise there is a problem like what has existed in other realms where someone posts random data and say, "break my leet code." :-/

An alternative is to have someone who is trusted verify the cipher works and was used to generate the cipher text provided, and then not participate or leak that information.

Another ideas is to provide specification on how the cipher worked when the encrypted text is included. Maybe a time limit would be good too. A minimum size of encrypted text would also bo good.

A list of "winners" within a table of "still not broken" checkboxes would be good too, for each successful cipher in each round of the game.

code breaking contest-awesome idea




i think a code breaking (more accuratly called 'cypher breaking'_ contest would be a great addition to defcon. (btw, i don't think cotman's post was about code breaking.)
cryptography is a major part of security, so why not include it in defcon? we wouldn't be able to crack widely used ciphers (DES, AES, etc), but we could have a contest where teams would have to crack cryptograms from monoalphabetic up to Enigma style encryption.

This post was more about attacking ciphers than breaking a specific coded message.

Simple character substitutions, and repeated use of a static bitlength XOR key that is significantly shorter than the message, can be pushed through some software with frequency distribution analysis, to try to estimate the key. With simple ciphers, the game becomes one of "who has the best software" to perform analysis.

For a complex key with a keyspace that can be brute-forced in a reasonable time, an advantage is given to those with access to computing resources. (Consider a fed working at LANL, or LLNL where they may be able to pass a message by e-mail to a friend for brute forcing, or in the unlikely event they have made remote access to such resources possible, direct access to said resources.)

It is a difficult problem to solve. How do you level a playing field to not provide advantage between the people with significantly more resources to break a code, and the rest of the people who only have pencil and paper?

How do you make the contest simple enough that you have more than one person willing to play, but not so simple that it is trivial?

Chris had some pretty good ideas for a contest in the other thread.

And the last problem? Who would run such a contest?
[And for people who might ask, I think this is an example of where it is better to bring up an old thread about a topic this specific, than it would be to start a third thread. The user even mentions having read the other thread. Perhaps an exception? I'm not sure, but in this case, I am glad an older, existing thread was used.]

[Added:]
And then there was one. -- Threads merged.

Writing software for cryptograms in a defcon contest would require groups or individuals entering the contest way before the convention starts, something like how CTF is set up.

However, software to "break" simple ciphers like ROT-13 or even ROT-26 are not very hard to write, it can even be done in Visual Basic. Even so, it would take a few hours to write such software.

On the other hand, to make things interesting, you can require it to be a paper and pencil kind of deal, maybe even throw in the last part of the contest to be a Vigenere's, all relatively simple ciphers if done by computing, however by pencil and paper, would make things tougher.

i think to make things even more interesting, we use a more complex cipher that isn't likely to be brute forced. instead, you'd have to find weaknesses in the cipher by using different types of cryptographic attacks (known plaintext, known ciphertext, etc). maybe we could have contestants create their own ciphers and have them put to the test at defcon (this might take longer than two days....we'd have to work out some bugs.)
A while ago i made a crypto game that was played over a network, and it was very similar to SSH (it encrypted packets) but the encryption algorithm was weak enough that it could be broken. maybe we could use a modified version of this game.

Re: Code Games / Retro Games

Recently I have been looking into the demo scene, and I think it would be neat to have a projector somewhere, old/new hardware (Amigas to PS2's, Mac II's to X86 etc...) and have a demo party, the ones without sound normally could be accompanied by chiptunes off a music disk or something.

I haven't made any demo's myself, but I love the art, music and code that goes into these masterpieces! (oh and I have a crystal chipped PS2 if anyone wants to pursue this further :-P)

Just some thoughts.