Announcement

Collapse
No announcement yet.

Call for DEFCON Capture the Flag Organizers

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Call for DEFCON Capture the Flag Organizers

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Call for DEFCON Capture the Flag Organizers.
    - -----------------------------------

    Wanted:
    An evil large multinational corporation, or...
    An nefarious group of genius autonomous hackers, or...
    A shadowy government organization from somewhere in the world

    To:
    Host, recreate, and innovate the worlds most (in)famous hacking contest.

    Why:
    For everlasting fame, intrusive media interviews, the respect of your
    peers, or the envy of your enemies.

    Do you have what it takes and know what we're talking about?

    The Story:
    After taking it to the next level, creating a spectators sport out of geeks
    sitting at their keyboards 0wning machines, and fabulous recognition around
    the world, the Ghetto Hackers have retired their Root Foo as the hosts of
    DEFCON's Capture The Flag. Our contest is not over, merely in transition
    to the next keepers of the flame. This is the opportunity you and your
    crew, company, or government has been waiting for.

    You too can pour your heart, countless hundreds of hours into planning,
    producing, and executing the world’s most famous contest of hacking skills.
    Like all of our contests, they are run by volunteers.

    Our intent is to make a game that's fun for its participants. While the
    Ghetto did a fabulous job of allowing CTF to be a team and spectators sport
    through scoring visualizations, commentators, game updates, et cetera, this
    is not a requirement. They took it to a new level in one area, and you can
    take it to another. The heart hacking has many facets.

    Your constraints:
    You must design a cool contest. This contest could have a multiplayer/team
    aspect, but does not have to. Your contest can be based on previous games,
    but shouldn't be a mere replication of previous games. You can determine
    the teams/participants before DEFCON, or at the conference. You can have
    multiple contests (for example, one contest with individuals, one with
    teams). You determine the constraints, size of teams, allowing remote
    teams to play, and more.

    You design the network topology. You determine the rules. Your group will
    determine the winner, and the losers. The idea behind this CFP is not to
    ask people to reproduce past Capture the Flags, but to have your group
    reinvent and create something new, based on the same ideas of creativity
    and energy. Challenge your friends!

    You MUST:
    Clearly communicate the rules to the participants before the contest, set
    up clear eligibility requirements (if any) before the conference, set up
    the network, provide any infrastructure that you wish to be part of the
    game, referee the game while it is taking place, create a scoring system,
    and determine winners. The easier it is for contestants to understand how
    to win, the more fair the contest will feel. The contest must end no later
    than two hours before the end of DEFCON (5pm Sunday) in order to provide
    time for final scoring and the awards ceremony.

    Your contest MUST NOT:
    Interfere with the DEFCON networks (ie: it must be a separate network),
    interfere with the 'live internet', involve non-consensual parties (ie:
    anyone who hasn't explicitly agreed to take part in the contests), take
    bribes that are not equally shared with the DEFCON staff.

    In the past network traffic on CTF has been captured for later forensic
    analysis by groups such as shmoo, and Source Fire and shared with the
    community to further ids and network sniffer developers. Expect that we
    will give access to those wanting to capture traffic while not actively
    participating in the contest.

    Suggestions:
    Allowing 'lone gunman' to participate (not require group play). This could
    be a separate contest, or they could participate in competition with teams
    (handicaps for teams, perhaps)

    Allowing 'outside players', perhaps a VPN connection with one
    representative at DEFCON, the rest of a shadowy team located elsewhere in
    the globe.
    Incorporating non intrusion/defense techniques to the game - stenography,
    covert communication channels, riddles/puzzles, social engineering,
    hardware hacking, radio direction finding, etc.

    A 'theme' (like forensics, covert channels, attacking, defending,
    application security, host security, etc.) that would be announced
    beforehand with the contest focused around the theme.

    You will be judged:
    On any innovations or revolutionary enhancements to the game.
    On the feasibility of your team getting all the work done (note: we will
    publicly humiliate you if you get accepted and fail to perform!).
    On the amount of fun (as measured in FunMeters) that participants will
    have.

    Resources we can provide:
    Badges to the conference and access to the CTF area for setup on Thursday,
    the day before the con.
    Physical space roughly equal to that which has been provided at past
    DEFCONs.
    Tables for participants to use.
    Screens and LCD projectors to display data with.
    Network connections from the net if necessary.
    Some network gear and power strips - please let us know early what you need
    so we can plan for it.
    Prizes for the winning people or teams.

    Research pointers:
    If you haven’t been to DEFCON before, you should understand the environment
    your contest must operate in! http://www.defcon/ will get you started.
    These may help give you an idea about past contests, what has worked, and
    what hasn't. Ceazar gave a presentation on running hacking contests at
    Black Hat Asia (learn from a master):
    http://www.blackhat.com/presentation.../bh-jp-04-elle
    r/bh-jp-04-eller.pdf
    Shmoo's CTF sniffing project: http://www.shmoo.com/cctf/
    DC 10 Rules:
    http://www.DEFCON.org/html/DEFCON-10...ctf-rules.html
    DC 11 CTF Announcement:
    http://www.DEFCON.org/html/DEFCON-11...ctf-teams.html
    White paper on a teams participation:
    http://www.cse.ogi.edu/~crispin/disc...mix_DEFCON.pdf
    Ceazar briefly discusses CTF before GH ran the contest:
    http://www.antioffline.com/10/ghettohackers.html

    So you want to play a game?

    Here's the process:
    1.Fill out the application below. You will receive an acknowledgment that
    your submission was received within 48 business hours of us receiving it.
    2.We will use relatively simple criteria to judge your entry. 1:)
    Feasibility of your team pulling off this task, 2:) The amount of fun we
    image the participants will have with your contest, 3:) the coolness or
    innovation you bring to the contests.
    3.We will contact finalists and ask them further questions, and talk over
    any questions that we will inevitably have.
    4.We will announce the winner(s) on XYZ date. It is possible that we will
    choose multiple teams that run concurrent contests that are different.
    5.We will hammer out details over the phone, participating in your game
    creation (not interfering with it, just ensuring everything is going
    smoothly). We will conference call with you and may fly you down to sunny
    Seattle to meet with us to discuss planning for the event.

    Application:
    All contact information will be kept private, and not disclosed outside the
    DEFCON planning organization.

    About you and your group
    Name of your organization:
    Name of primary contact:
    Email Address of Primary contact:
    Phone number of primary contact
    Number of people in your organization (that will actively be participating
    in creating/planning/executing CTF):
    Experience team members have had in planning events (This could be a bake
    sale with 500 people, or a DoD briefings for 20 people, something that
    indicates some planning experience):
    Technical ability of team (this would include a general list of people's
    abilities * networking, hardware, et cetera):
    Physical resources (if any) that you will be bringing to help run CTF:
    What experience have your team members had in playing CTF in the past (this
    is not a requirement, but shows real-world knowledge of the game as it has
    been played in the past)

    Your Vision for CTF
    - -Explain, in a general manner, your vision of your CTF.
    - -Provide three reasons your group should host CTF.
    - -How do players or teams qualify (if there are qualifications)?
    - -Is it multi player or single-player, or a combination?
    - -What innovations or new ideas are you bringing to CTF.
    - -How long will the contest take, will it be 24x7, 8 hour shifts, etc?
    - -What technical work is required to execute your plan. This includes
    setting up environments beforehand, pre qualification work if any, writing
    a scoring system, etc.?
    - -Give an outline of the rules that will be presented to the participants:
    - -Why do you want to do this?
    - -What hardware resources do you request or need from DEFCON?
    - -Explain what you believe is the best way to gauge a hacker's abilities,
    and how your vision of the contest could do this?
    - -Tell us anything else that you think may be important or that we might
    consider in choosing your group to host CTF.

    Send it in! Deadline is March 31st, 2005. Submissions go to ctf [at] defcon
    [d0t] org

    A discussion area has been created on the DEFCON forums
    (http://forum.defcon.org/) under the DEFCON 13 Events section to cover new
    ideas, ask for feedback, and get an idea of what is going on, new
    announcements will be on the main DEFCON web site (http://www.defcon.org/).

    Thank you,
    The Dark Tangent

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQEVAwUBQe7vRQ6+AoIwjTCUAQKFKggAmf29SWm3m2DLY7mKuu SPqdvrMOBOhuyF
    erhl3k0jM/hRbst5rvQ+s9WTK2IL9FYRkcmlbCpEMVa1vo58/pCNE9s9fdh5wT2R
    ZB8ZvzW0ogYf7D1cnaVzZpb2if4Uw0/dVWtalvSdloTannaxaU/3JL3SobjSbdPK
    e92wQtRuiapg1edIuCBao2wO8OPyfJKWuzKAzqo3bv4ppukgdp BmXtHqsNPSMJkZ
    WTZ1uxSOth+jd+rOpvRYSDGD8CAaA/DMCMWpJYBfbG8JLj3SSAeAP3OlxVa6qxLB
    x2uc24HzmcKdHeiuSpHbORTXUco2dS3RDzyJuUndVX2SsjJQUy AuAA==
    =MUJF
    -----END PGP SIGNATURE-----
    Last edited by Dark Tangent; January 19, 2005, 15:39.
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

  • #2
    Updates to announcement, conversation starter..

    I just edited the post from yesterday and added some more content. Also the main web site will always have the most current information.

    With that said, let's start the discussion here.
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

    Comment


    • #3
      As much as Defcon is trying to stay away from sponsors, I would still be excited to see a bigger company came in with some more expensive hardware to play on. In a sense, stepping up the competition to a new level using exploits on some of the newest hardware/software. I can't see this being done though where those companies want to keep as much information about their hardware secret (using a fake sense of security through lack of information -- what usually breeds holes in security). For a company to come out like that would be like saying "Our technology is the best, and we're willing to let hackers jump all over it to prove it lives up to the test!" Three days strait of reverse engineering by a number of the best hackers in the world is quite the test.

      Then again, you could look at the other side of the coin... where there's a lack of hundreds of known security exploits, it could be a very in-active, boring game. If said company could come up with a complex setup where it maybe wasn't just security exploits they were taking advantage of to gain points, but also taking advantage of a certain systems behaviour to play into another part of the system to gain points. In a sense of the word, adding in little quirks in the design and giving points to the team that finds those quirks and uses them.

      Enough rambling from me, I've already got my hands full for Defcon 13.

      Comment


      • #4
        Originally posted by Tierra
        As much as Defcon is trying to stay away from sponsors, I would still be excited to see a bigger company came in with some more expensive hardware to play on. In a sense, stepping up the competition to a new level using exploits on some of the newest hardware/software. I can't see this being done though where those companies want to keep as much information about their hardware secret (using a fake sense of security through lack of information -- what usually breeds holes in security). For a company to come out like that would be like saying "Our technology is the best, and we're willing to let hackers jump all over it to prove it lives up to the test!" Three days strait of reverse engineering by a number of the best hackers in the world is quite the test.

        Then again, you could look at the other side of the coin... where there's a lack of hundreds of known security exploits, it could be a very in-active, boring game. If said company could come up with a complex setup where it maybe wasn't just security exploits they were taking advantage of to gain points, but also taking advantage of a certain systems behaviour to play into another part of the system to gain points. In a sense of the word, adding in little quirks in the design and giving points to the team that finds those quirks and uses them.

        Enough rambling from me, I've already got my hands full for Defcon 13.
        I am working on a response/application for CTF, and while it's not done, I can tell you with utmost certainty that I have a CHINESE manufacturer of lan/wan switches/routers on board who thinks they are "all that and phrute salad" and will be loaning their stuff to CTF boasting they can't be hacked. Suckas... 亲自, 我认为他们将生存比赛。但我知道什么? And if that were not enough, there are about 5 other points that will be original - plus a demented, EVIL twist that would ruin even Mitnick's day. Te aviso, if picked, it's gonna be sick.

        Comment


        • #5
          Originally posted by richardw
          I am working on a response/application for CTF, and while it's not done, I can tell you with utmost certainty that I have a CHINESE manufacturer of lan/wan switches/routers on board who thinks they are "all that and phrute salad" and will be loaning their stuff to CTF boasting they can't be hacked. Suckas... 亲自, 我认为他们将生存比赛。但我知道什么? And if that were not enough, there are about 5 other points that will be original - plus a demented, EVIL twist that would ruin even Mitnick's day. Te aviso, if picked, it's gonna be sick.
          很好。 他們真是suckas.

          Comment


          • #6
            End of Thread

            With kenshoto selected to run the CtF contest, this thread is pretty much done.
            PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A

            Comment

            Working...
            X