Announcement

Collapse
No announcement yet.

FAQ (Frequently Answered Questions)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • FAQ (Frequently Answered Questions)

    I want to bring a box to enter for my research / paper / training. Can I get network captures and a forensic image if it's compromised?

    You betcha. Enough people have asked for this that I'm bringing at least 1TB of capture storage with me, which I hope will be enough. I'll make arrangements to get you the capture somehow, but ideally if you bring a big honking SATA drive with you, I can get it to you at con.

    On forensic images, if you want to do analysis of a successful compromise, you can keep your own drive. It's easier for us and people getting free boxes don't get to bitch.


    If I get 0wned I want the attacker to sit down over beers and tell me how he / she succeeded.

    It's encouraged, sure, but not required. We absolutely do not want to discourage 0days or private exploits. The intent here is to look at how well hardened boxes do in an extremely hostile environment as very visible targets. The Eastern Bloc malware ninjas who owned your employer don't have to drop by for a chat, and no one at con does either.


    How the hell can I get my E10K / RS6000 / Cray / HP N-Class / etc on the plane?

    This is coming up a lot. How to get a box to the con? The ever-helpful Cotman pointed out that you can have FedEx/UPS/DHL/an 18-wheeler deliver the box to your attention at the hotel as long as you make arrangements with them in advance and have a reservation. Just call ahead to the front desk and make sure you're kosher.


    What constitutes a compromise of the machine?

    Each entrant will be provided with a large unique one-time-pad, which will be placed on the machine. At a minimum it will need to readable by Admin / root / toor / qsysopr / etc. The OTP will decrypt a unique ciphertext for each entry, which we'll make available (not saying how just yet) at the start of the contest.

    Once an attacker has the OTP, they can decrypt the message, which will have instructions on what steps are then needed to claim the machine. Yes, this could kind of become a crypto challenge as well. If someone outside of Fort Meade can crack a very large ciphertext with no known plaintext in 24 hours or so, I guess they get your box. Bruce is here this year, so I guess it's possible.


    So, won't you have the keys? I have to trust you?

    Yes. Waah. Look, I am 5'7" and a good 25 lbs lighter than the smallest goon, and there are a buttload of entries already, so if you don't trust me, you'll have to at least trust the power of frontier justice. The problem is, if someone other than the entrant doesn't have the plaintext how do we verify it? I am your CA. I am Verisign. Deal.


    What services can I make public? Are echo and chargen okay?

    The current acceptable services list, subject to revision, is below. If you have a nifty service you want to run, go for it. It just needs to be capable of both a public layer and some kind of authenticated layer for Day 2.
    • FTP(s)
    • HTTP(s)
    • NFS / AFS / SMB
    • LDAP
    • SSH / Telnet / Rlogin
    • IRC
    • Gopher
    • LPD / Cupsd / IPP
    • POP3(s) / IMAP(s)


    Can I restrict the shell with RSBAC / App Armor / SeLinux / MAC / gaffer tape?
    You bet. That's absolutely the point, though it's not required. It seems like the theme here so far has been either sacrifical lambs or folks who want to test their hardening-fu. Both are welcome to enter.
    sk00t
    Productivity Vortex
    Last edited by sk00t; June 19, 2007, 21:24. Reason: Updated with Chris and Ollam's suggestion. Instructions in the plaintext may include creating a shell / changing a banner.
    "Raise a toast to ... I think he might have been our only decent ."

  • #2
    Re: FAQ (Frequently Answered Questions)

    Originally posted by sk00t View Post
    What constitutes a compromise of the machine?
    Each entrant will be provided with a large unique one-time-pad, which will be placed on the machine. ... Once an attacker has the OTP, they can decrypt the message
    while i certainly like the crypto aspect of it, it's not the most difficult thing in the world to get read access where one isn't supposed to. would be sort of nice if there was some kind of additional requirement or at least extra credit... like after an attacker reads the pad and verifies the decrypted string they have to gain write-access to the volume and change the file to something else or create a new account with root privileges or something like that.

    just my $0.02
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

    Comment


    • #3
      Re: FAQ (Frequently Answered Questions)

      Originally posted by Deviant Ollam View Post
      while i certainly like the crypto aspect of it, it's not the most difficult thing in the world to get read access where one isn't supposed to. would be sort of nice if there was some kind of additional requirement or at least extra credit... like after an attacker reads the pad and verifies the decrypted string they have to gain write-access to the volume and change the file to something else or create a new account with root privileges or something like that.

      just my $0.02
      I agree. I think you should have to create a new admin/UID 0 account. I think that shows ownership better than getting read access to a file.
      perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

      Comment


      • #4
        Re: FAQ (Frequently Answered Questions)

        Originally posted by Chris View Post
        I agree. I think you should have to create a new admin/UID 0 account. I think that shows ownership better than getting read access to a file.
        Hrm... Makes sense, and I agree -- filesystem reads != shell access. This could be in the instructions in the ciphertext. How about changing a service banner to include a string provided in the ciphertext, a la CTF? This would also make my scoreboard self-updating, which is something I've been chewing on as well.
        "Raise a toast to ... I think he might have been our only decent ."

        Comment


        • #5
          Re: FAQ (Frequently Answered Questions)

          Originally posted by Chris View Post
          I agree. I think you should have to create a new admin/UID 0 account. I think that shows ownership better than getting read access to a file.
          Updated the FAQ to read that the ciphertext will have instructions to claim the box. Makes it a bit more flexible that way so we can figure out what will be both fair and measurable.
          "Raise a toast to ... I think he might have been our only decent ."

          Comment


          • #6
            Re: FAQ (Frequently Answered Questions)

            Do we have to enter a box to get forensic data or can we hoover it up on the side line?

            Comment


            • #7
              Re: FAQ (Frequently Answered Questions)

              Originally posted by Shinobi View Post
              Do we have to enter a box to get forensic data or can we hoover it up on the side line?
              I'm not sure how many spans I'll have -- I'm bringing at least one 24 port switch, but they're older Nortels and may not do more than one mirror.

              I realize you're in the UK so I understand it's a lot to ask to bring something over. Do you have something else to bribe me with? :)
              "Raise a toast to ... I think he might have been our only decent ."

              Comment


              • #8
                Re: FAQ (Frequently Answered Questions)

                Originally posted by sk00t View Post
                I'm not sure how many spans I'll have -- I'm bringing at least one 24 port switch, but they're older Nortels and may not do more than one mirror.

                I realize you're in the UK so I understand it's a lot to ask to bring something over. Do you have something else to bribe me with? :)
                Beer?

                If someone else is capturing data it might just be easier if I can rip a copy off later during Defcon.

                Comment


                • #9
                  Re: FAQ (Frequently Answered Questions)

                  Originally posted by Shinobi View Post
                  Beer?

                  If someone else is capturing data it might just be easier if I can rip a copy off later during Defcon.
                  I'm not a beer guy, but a '99 Chateau Neuf Du Pape will get you a few hundred gigs of attack data. :)

                  Like I mention in the FAQ I'm going to bring a box with at least 1TB of capture. If you bring a SATA drive along it will be pretty easy for me to clone it off for you. You would just be at the bottom of the queue after any entrants who want the same thing.
                  "Raise a toast to ... I think he might have been our only decent ."

                  Comment


                  • #10
                    Re: FAQ (Frequently Answered Questions)

                    Originally posted by sk00t View Post
                    I'm not a beer guy, but a '99 Chateau Neuf Du Pape will get you a few hundred gigs of attack data. :)
                    How about blue nun or babysham?

                    Comment


                    • #11
                      Re: FAQ (Frequently Answered Questions)

                      How about Pabst...and whiskey?
                      A paranoid is someone who knows a little of what's going on.
                      -
                      William S. Burroughs

                      Comment


                      • #12
                        Re: FAQ (Frequently Answered Questions)

                        meths?

                        Comment


                        • #13
                          Re: FAQ (Frequently Answered Questions)

                          Originally posted by Shinobi View Post
                          meths?
                          You can get that on the plane but not a server? Wha? I guess I know where you're keeping it, then...
                          "Raise a toast to ... I think he might have been our only decent ."

                          Comment


                          • #14
                            Re: FAQ (Frequently Answered Questions)

                            Originally posted by sk00t View Post
                            You can get that on the plane but not a server? Wha? I guess I know where you're keeping it, then...
                            Yup and it's a 1L bottle too... ouch...

                            Comment


                            • #15
                              Re: FAQ (Frequently Answered Questions)

                              Originally posted by Shinobi View Post
                              Yup and it's a 1L bottle too... ouch...
                              Are you Pool2Girl? I guess I know what to trade for the capture...
                              "Raise a toast to ... I think he might have been our only decent ."

                              Comment

                              Working...
                              X