0wn the box? Own the box!

Re: 0wn the box? Own the box!

We'll provide the creds to the entrants beforehand and publish them on the second day.

Re: 0wn the box? Own the box!

yeah, OK so far this looks the most interesting out of the new contests (sorry Panadero...I even suck at toy guitars). I await further details in the FAQ regarding the custom service we need to run but I guess if a C64 will run it then a 286 should be fine.

Now, where the hell are my DOS 2.0 disks and wu-FTP 1.0a files.....

Re: 0wn the box? Own the box!

Basically the only requirement is that at least one of the services have some second layer that requires authentication. On day two, we'll give out creds for all the services, so you'll need to have something to log in to. Beyond that, the services listed in the FAQ are the suggestions.

The only reason we say "running two visible services to our specs" in the announcement is that I don't want to waste everyone's time with a bunch of stuff sitting there offering up one static HTML page and a fake SMTP server with a banner that says "go away".

286 will be fine, as long as you've got a network jack. The c64 entry (which I'm still waiting for detail on) would have one as well, if it makes it.

Re: 0wn the box? Own the box!

Do we get to attack the attackers as well? Seems to me that if if you want to play, then everyone needs to be on the defensive and anyone is open to attack and losing their box.

Re: 0wn the box? Own the box!

This is not CTF, so you actually hand the machine over and are expected to leave it alone until the end of the contest, and you don't have to bring a box to play.

What you're describing would (to me) be too much like existing contests, albeit with higher stakes and without a team aspect. The idea is for this to be sort of a real-world analogy for what running a box with public services on the 'net is every day... You versus the world.

So... The attackers are actually anyone and everyone who wants to go after a given box. My hope is that we'll be up on the DC Wifi and accessible to everyone, but at a minimum I will have 48 ethernet ports available, and anyone can walk up and cable in.

That said, I suppose if one of your accessible services was for example SSH, you could be logged in and play whack-a-mole with all the stuff coming at you.

As far as attacking the attackers (keeping in mind the source machines likely aren't entries in the contest), from my experience this would be no different from typical traffic on the con network, wouldn't it?

Re: 0wn the box? Own the box!

But if I own somebody on the con network, I don't get to take their box home.

If I log in to my box and see somebody is trying to attack me, I should be able to then try attack the attacker in return.

This adds an element of risk for the attackers as well. If they want to show their stuff, they better be able to also defend themselves appropriately. They don't need to have any services open. Just as in the real world, someone attacking you would be stupid to leave themselves vulnerable. However if they do, and you're able to root them, you get to take an extra laptop home with you.

The attackers just need to make sure their box is completely locked down also. However I'll bet a few of them may not be, and this would add an additional element to the game. The attackers shouldn't be left in a completely risk-free scenario.

Besides, it'll probably happen anyhow. I'm sure some people will be attacking vulnerable attacker machines just for the sport/fun/be-a-dick.

Re: 0wn the box? Own the box!

I did have the same thought, and I personally like the idea. I think the problem right now is that because we're already a late comer to the contests I'm not sure we can change the requirements now that we already have about 10-15 boxes. Everyone else entered is purely coming in as a defender now.

BUT -- I do like this concept, and I think others would as well. The intent is a little bit different in that the proposed approach is something I can see people spending a majority of their time at the con on, but I really like the idea of something CTF-like that is solo, rather than team-oriented. Part of why I wanted to do this is that I always want to do CTF but don't have a posse and don't want to join someone else's. :)

I'd say let's try things out with the current route and then go from there. This first year is an experiment, and based on feedback and what everyone thinks we'll grow and change as we go along.

If interest turns out to be very high, I see nothing wrong with requiring people to bring their own entry in order to participate. For right now, though, I know that as long as I can get enough defenders there will be no shortage of attackers, so we're guaranteed to have something workable out of the gate, as a new contest.

But again, hold on to the idea, and let's talk during con and see if this is a change everyone would like to see for next year.

Re: 0wn the box? Own the box!

Fair enough.

I'm thinking of putting up a locked down windows server to see how well it holds up. Not sure if I want to risk losing the laptop though, it'll depend on what the reward potential ends up being, and if I go to DC at all this year.