FAQ (Frequently Answered Questions)

I want to bring a box to enter for my research / paper / training. Can I get network captures and a forensic image if it's compromised?

You betcha. Enough people have asked for this that I'm bringing at least 1TB of capture storage with me, which I hope will be enough. I'll make arrangements to get you the capture somehow, but ideally if you bring a big honking SATA drive with you, I can get it to you at con.

On forensic images, if you want to do analysis of a successful compromise, you can keep your own drive. It's easier for us and people getting free boxes don't get to bitch.


If I get 0wned I want the attacker to sit down over beers and tell me how he / she succeeded.

It's encouraged, sure, but not required. We absolutely do not want to discourage 0days or private exploits. The intent here is to look at how well hardened boxes do in an extremely hostile environment as very visible targets. The Eastern Bloc malware ninjas who owned your employer don't have to drop by for a chat, and no one at con does either.


How the hell can I get my E10K / RS6000 / Cray / HP N-Class / etc on the plane?

This is coming up a lot. How to get a box to the con? The ever-helpful Cotman pointed out that you can have FedEx/UPS/DHL/an 18-wheeler deliver the box to your attention at the hotel as long as you make arrangements with them in advance and have a reservation. Just call ahead to the front desk and make sure you're kosher.


What constitutes a compromise of the machine?

Each entrant will be provided with a large unique one-time-pad, which will be placed on the machine. At a minimum it will need to readable by Admin / root / toor / qsysopr / etc. The OTP will decrypt a unique ciphertext for each entry, which we'll make available (not saying how just yet) at the start of the contest.

Once an attacker has the OTP, they can decrypt the message, which will have instructions on what steps are then needed to claim the machine. Yes, this could kind of become a crypto challenge as well. If someone outside of Fort Meade can crack a very large ciphertext with no known plaintext in 24 hours or so, I guess they get your box. Bruce is here this year, so I guess it's possible.


So, won't you have the keys? I have to trust you?

Yes. Waah. Look, I am 5'7" and a good 25 lbs lighter than the smallest goon, and there are a buttload of entries already, so if you don't trust me, you'll have to at least trust the power of frontier justice. The problem is, if someone other than the entrant doesn't have the plaintext how do we verify it? I am your CA. I am Verisign. Deal.


What services can I make public? Are echo and chargen okay?

The current acceptable services list, subject to revision, is below. If you have a nifty service you want to run, go for it. It just needs to be capable of both a public layer and some kind of authenticated layer for Day 2.

• FTP(s)
• HTTP(s)
• NFS / AFS / SMB
• LDAP
• SSH / Telnet / Rlogin
• IRC
• Gopher
• LPD / Cupsd / IPP
• POP3(s) / IMAP(s)

Can I restrict the shell with RSBAC / App Armor / SeLinux / MAC / gaffer tape?
You bet. That's absolutely the point, though it's not required. It seems like the theme here so far has been either sacrifical lambs or folks who want to test their hardening-fu. Both are welcome to enter.