Announcement

Collapse
No announcement yet.

Scoreboard and some other thoughts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Scoreboard and some other thoughts

    Okay, so I'm starting to chew on the scoreboard concept a bit. Obviously, it will be a list of IPs, with current 0wned / un0wned status, and as mentioned I will have a special "0wn the Goon / 0wn the presenter" section with gratuitous use of the <blink> tag.

    I'm also thinking a traffic graph with dest ports and top attacker IP's would be cool, and a scrolling list of alerts picked up by Snort, just to give folks something to watch. Anything else that would make you stop while walking by and look?

    I would really, really like to have a way to have the scoreboard be self updating, but I'm having a hard time working out the best way to do this. I could have a successful attacker emit some kind of beacon, and spew packets out with the decrypted message to be sniffed by the scoreboard box, or have them hit some undisclosed URL that would then change the status on the display... Does anyone else have any ideas?

    Also, I originally had thought we would post the hardware descriptions next to the IPs, but I'm thinking it might be more interesting to leave it undisclosed. I really, really like the idea of someone spending a few hours, jumping up and saying "Dude! I did it! I just got a... TRS-80?"

    Thoughts?
    Last edited by sk00t; June 25, 2007, 00:44. Reason: Too much punch at annual Tri-Lambda mixer and dwarf toss
    "Raise a toast to ... I think he might have been our only decent ."

  • #2
    Re: Scoreboard and some other thoughts

    Originally posted by sk00t View Post
    Okay, so I'm starting to chew on the scoreboard concept a bit. Obviously, it will be a list of IPs, with current 0wned / un0wned status, and as mentioned I will have a special "0wn the Goon / 0wn the presenter" section with gratuitous use of the <blink> tag.

    I'm also thinking a traffic graph with dest ports and top attacker IP's would be cool, and a scrolling list of alerts picked up by Snort, just to give folks something to watch. Anything else that would make you stop while walking by and look?

    I would really, really like to have a way to have the scoreboard be self updating, but I'm having a hard time working out the best way to do this. I could have a successful attacker emit some kind of beacon, and spew packets out with the decrypted message to be sniffed by the scoreboard box, or have them hit some undisclosed URL that would then change the status on the display... Does anyone else have any ideas?

    Also, I originally had thought we would post the hardware descriptions next to the IPs, but I'm thinking it might be more interesting to leave it undisclosed. I really, really like the idea of someone spending a few hours, jumping up and saying "Dude! I did it! I just got a... TRS-80?"

    Thoughts?
    In some of the early CTF, where players were defenders and attackers, there was a polling service that would check for a specific file store at the root level of the filesystem. This contained a file signed with a key of a team that owned the box. In the case of a defender, the key signing the file was owned by the defender. Once a new "owner" placed their key in the specific location and was able to keep it there, the next time the polling server noticed, the change in ownership would be regsitered, and points would be assigned. This requires defenders to run a special service that would answer poling requests from a central polling server.

    CTF has changed several times over the years. The contest you are building is closer to the CTF contest from about 10 years ago. You might be able to borrow some of the ideas from the original contest to make your life easier.

    Also, last year, there was a projector in the contest/event area with updates about defcon, and updates about contests. Organizers/Leaders could fill out paperwork to submit new information about their contest or event and have it updated on the leaderboard.

    With so much old equipment, you may want to remind users to bring whatever they need to provide you with a RJ45, [10|100|1000]BaseT port Ethernet to connect to your network. There is high risk for some people to arrive with 10Base2 or maybe even 10Base5, or AUI. Maybe even risk for Serial Port Terminal Servers, or TokenRing.

    Also, if you have not discussed your contests' requirements for power, you really should talk to Russ soon. If the B&W ball will be in the contest space, there may be need to move some contest/event tables. Keep this in mind when building your space.

    See what other people say. Other ideas may surface....

    Also, you will probably want to be able to take breaks to get food and leave your table. Make sure you have people you know and trust to take your place when you need a bathroom break, or need to get food.

    Comment


    • #3
      Re: Scoreboard and some other thoughts

      Just make a scoreboard out of cardboard. Have Vinyl Vanna up there changing the numbers as the score changes.

      Comment


      • #4
        Re: Scoreboard and some other thoughts

        I like the idea of using Snort to generate alerts to go onto the page. However you might want to remove some of the signatures, it might go a bit crazy when people start scanning etc.

        Comment


        • #5
          Re: Scoreboard and some other thoughts

          Originally posted by TheCotMan View Post
          This requires defenders to run a special service that would answer poling requests from a central polling server.
          I think for now that would be out. Since folks are going to all the trouble to actually build stuff this close to con and set it up I don't want to ask them to add custom services, etc, for now.

          Originally posted by TheCotMan View Post
          CTF has changed several times over the years. The contest you are building is closer to the CTF contest from about 10 years ago.
          Yeah, I'm cutting edge like that. :) Actually, yes, the old CTFs with defenders / attackers category is part of what I'm interested in bringing back. I always liked in particular the (apocryphal?) story of someone bringing a VAX as an entry. I think with the entries we have now we can inject some of the absurd back in to this kind of event.

          Originally posted by TheCotMan View Post
          With so much old equipment, you may want to remind users to bring whatever they need to provide you with a RJ45, [10|100|1000]BaseT port Ethernet to connect to your network.
          Yep. I'm sending that out in an update mail to entries as we get a bit closer. I really love the old entries but we have to draw the line somewhere, and I think IEEE 802.3 is that line.

          Originally posted by TheCotMan View Post
          Also, if you have not discussed your contests' requirements for power, you really should talk to Russ soon. If the B&W ball will be in the contest space, there may be need to move some contest/event tables. Keep this in mind when building your space.
          I have been frantically spamming anyone who will listen for a week or two now. If you have any other contacts I should use send me a PM. I'm pretty hopeful that we will get a physical room for gear off the main area so that we can a) keep it online so people can bang on it and b) keep it secure. We'll see.

          Originally posted by TheCotMan View Post
          Also, you will probably want to be able to take breaks to get food and leave your table. Make sure you have people you know and trust to take your place when you need a bathroom break, or need to get food.
          If we can get a secured area for the gear, this will help a lot, since then all we'll need to watch is the scoreboard gear. I will send out a little prayer to the DC gods and hope it's answered.
          Last edited by sk00t; June 25, 2007, 22:08.
          "Raise a toast to ... I think he might have been our only decent ."

          Comment


          • #6
            Re: Scoreboard and some other thoughts

            Originally posted by astcell View Post
            Just make a scoreboard out of cardboard. Have Vinyl Vanna up there changing the numbers as the score changes.
            Done, assuming you're volunteering to rustle up a Vanna. Trust me, you do no want to see me in pleather...
            "Raise a toast to ... I think he might have been our only decent ."

            Comment


            • #7
              Re: Scoreboard and some other thoughts

              Originally posted by sk00t View Post
              Yep. I'm sending that out in an update mail to entries as we get a bit closer. I really love the old entries but we have to draw the line somewhere, and I think IEEE 802.3 is that line.
              You could bring a few bridges, for different layer2 networks to RJ45, but then the per-port L2 switching advantage is kind-of broken, unless you have dedicated ports per bridge and one device per bridges network. (Lots of overhead for a contest builder.)

              I have been frantically spamming Russ, Grifter, DCNetworking and anyone else who will listen for a week or two now. If you have any other contacts I should use send me a PM. I'm pretty hopeful that we will get a physical room for gear off the main area so that we can a) keep it online so people can bang on it and b) keep it secure. We'll see.
              There are other people you can contact, but it is really best to have your communications go through the person that is running your area. If you will be on the contest floor, then it will be difficult, especially with a possibility of the B&W Ball being on the Contest floor, unless security goons will be guarding tables, or items needing to be secured can be secured overnight. Other events may have the same problem. Perhaps these are being examined with the planning of the B&W Ball, if it will be on the Contest Floor.

              If you are on the Contest/Event floor, Russ is the person to contact. He needs to be central to any resource requests, or else his planning for locations to place events in the room (which are close to things like power and networking) could be made unhappy. To try to bypass him with resource requests could create problems for everyone. If you were granted a room on the second floor, then you will probably want to contact Grifter (unless he tells you otherwise.) Grifter is/was in charge of the room assignments in the 2nd floor overlooking the contest areasm which are called "skyboxes."

              If we can get a secured area for the gear, this will help a lot, since then all we'll need to watch is the scoreboard gear. I will send out a little prayer to the DC gods and hope it's answered.
              Last year, I think the contest room was just locked up on some nights, and some of the contest/event organizers just took many of their table items to their rooms, or another room, like some of of the LPCon items.) If the B&W Ball will be in this same location, then it will be even less secure.
              Having a secured area can help, but the contest floor isn't exactly a secured area. Your best best for anything close to a secured area would be the skyboxes that Grifter acts as High Commander and Overlord

              Until you get an answer confirming or denying a "Secured area" you probably should assume that you won't have a secured area that you can lock up to go get food, and plan to have people watch your table for you while you take breaks for whatever, or fetch food for you. If you have a Local DCG, you can try to recruit some locals to help you with this. Another option is to become buddies with your neighbor on the contest/event floor and do the quid pro quo thing.

              Comment


              • #8
                Re: Scoreboard and some other thoughts

                Because virtualization is a hot topic.. I'd like to get clarification on something that.. I can imagine will be used a lot in this contest.

                Say I have a hypervisor A, with virtual servers of some kind (vmware/kvm/qemu) B and C. Each of B and C with a single service... Now...does a compromise of only B count as a compromise of the box? Or would you have to compromise both servers and their respective services'. Or.. do you have to compromise the hypervisor itself to count as a real "0wning".

                Its possible this is already covered someplace, if so.. I apologize.

                I think this is a very cool contest. I'm going to try and work out some very small box (think zarus) and make some interesting puzzle like services.
                The only constant in the universe is change itself

                Comment


                • #9
                  Re: Scoreboard and some other thoughts

                  Originally posted by dYn4mic View Post
                  Because virtualization is a hot topic.. I'd like to get clarification on something that.. I can imagine will be used a lot in this contest.

                  Say I have a hypervisor A, with virtual servers of some kind (vmware/kvm/qemu) B and C. Each of B and C with a single service... Now...does a compromise of only B count as a compromise of the box? Or would you have to compromise both servers and their respective services'. Or.. do you have to compromise the hypervisor itself to count as a real "0wning".

                  Its possible this is already covered someplace, if so.. I apologize.

                  I think this is a very cool contest. I'm going to try and work out some very small box (think zarus) and make some interesting puzzle like services.
                  Zaurus! Awesome!

                  For this year, again, we're really just going for some kind of controlled chaos to see what sticks. I'm just so damned happy that so many folks are interested that I'm not going to be much of a stickler. There is so much to be gained for attackers, that a little edge for defenders isn't a big deal, IMNSHO.

                  My €.02 would be that the hypervisor would constitute ownage, simply because I'm interested in seeing if this is possible. There have been attacks in the past against memory compartmentalization in, for example, Sun's virtualization and others over the years, and I think that someone willing to spend the time could break out.

                  But, in all fairness to the "real world", if I'm Joe Corporate network admin, and my mailserver is a VM, if it's owned, I'm owned.

                  Maybe multiple entries would be fun, one for each VM and one for the Hypervisor. If you own the VM, you can give someone a box full of air.
                  "Raise a toast to ... I think he might have been our only decent ."

                  Comment


                  • #10
                    Re: Scoreboard and some other thoughts

                    For commercial virtualization instances, you could have them give up their license. ]:>

                    Comment


                    • #11
                      Re: Scoreboard and some other thoughts

                      Originally posted by TheCotMan View Post
                      For commercial virtualization instances, you could have them give up their license. ]:>
                      Good call!
                      "Haters, gonna hate"

                      Comment


                      • #12
                        Re: Scoreboard and some other thoughts

                        Originally posted by sk00t View Post
                        Zaurus! Awesome!

                        For this year, again, we're really just going for some kind of controlled chaos to see what sticks. I'm just so damned happy that so many folks are interested that I'm not going to be much of a stickler. There is so much to be gained for attackers, that a little edge for defenders isn't a big deal, IMNSHO.

                        My €.02 would be that the hypervisor would constitute ownage, simply because I'm interested in seeing if this is possible. There have been attacks in the past against memory compartmentalization in, for example, Sun's virtualization and others over the years, and I think that someone willing to spend the time could break out.

                        But, in all fairness to the "real world", if I'm Joe Corporate network admin, and my mailserver is a VM, if it's owned, I'm owned.

                        Maybe multiple entries would be fun, one for each VM and one for the Hypervisor. If you own the VM, you can give someone a box full of air.
                        Yeah.. Thats very understandable. I hope I can get something together in time.
                        It would be pretty neat if some hardware vendors came in with some expensive stuff and "layed it down". I did see that Novell is stepping up with to put AppArmor to the test. Look forward to seeing if people bring the big guns out to take home a box. That brings me to another point I don't think has been discussed...
                        Lets say Bob the attacker uses his 0day exploit he's been sitting on for awhile, which owns the box. Will there be a full capture of the network traffic?
                        Hopefully bob would be a good guy and show us all what he used to 0wn it but.. if he doesn't, is that against the rules?
                        With people buying exploits these days.. sadly they have become a commodity (more than the art they already were) and I don't know if some people would give them up to the public for a $500 dollar computer.. when they could sell it to 3com for $10,000.
                        I can say that this is far from something I would do but, we do live in the day where some hackers are all about the Benjamin's.

                        Just throwing some ideas around...
                        -dyn
                        The only constant in the universe is change itself

                        Comment


                        • #13
                          Re: Scoreboard and some other thoughts

                          Originally posted by dYn4mic View Post
                          It would be pretty neat if some hardware vendors came in with some expensive stuff and "layed it down". I did see that Novell is stepping up with to put AppArmor to the test. Look forward to seeing if people bring the big guns out to take home a box.
                          Chris did get in touch with some folks, and I have a LOT of vendor hits to the site in my server logs (you know who you are!), but no one has contacted me at all.

                          Novell / AppArmor is not involved. There is a talk on overflow protections that has an entry, but it's not Crispin's, at least as far as I know. I mailed Crispin some time ago, but got a bounce back, and don't have a current address for him. If someone does, send me a PM.

                          Originally posted by dYn4mic View Post
                          That brings me to another point I don't think has been discussed...
                          Lets say Bob the attacker uses his 0day exploit he's been sitting on for awhile, which owns the box. Will there be a full capture of the network traffic?
                          Hopefully bob would be a good guy and show us all what he used to 0wn it but.. if he doesn't, is that against the rules?
                          It's in the FAQ. No one has to share how they were successful. It's encouraged, but not required.

                          Originally posted by dYn4mic View Post
                          Just throwing some ideas around...
                          -dyn
                          Much welcome!

                          Send me a mail to the address in the CFB so I can track your entry, and the specs on the box you're planning on entering so I can post it, when you get a chance. I'm tracking all the entries via email so I can easily contact folks -- should have a mail out soon with some more details about distributing the OTPs, and hopefully the subnet allocation from DCNetworking so I can start handing out IPs.

                          If you're doing VMs and need multiple addresses, let me know.

                          Thanks again. I am just floored at the number of entries! I have no idea where we're going to put all this stuff!
                          "Raise a toast to ... I think he might have been our only decent ."

                          Comment


                          • #14
                            The VM question

                            Okay someone PM'd just now with a GREAT idea for what constitutes compromise on VMs, IMNSHO.

                            If all VMs are compromised, the box is compromised. Seems reasonable to me.

                            So, you would place a fragment of the key on each VM, and once all fragments are assembled, the attacker can decrypt the ciphertext.

                            Sound good to everyone?
                            "Raise a toast to ... I think he might have been our only decent ."

                            Comment

                            Working...
                            X