[Dailydave] DEF CON Call for CTF Organizers

Dark Tangent dtangent at defcon.org
Fri Nov 2 00:13:13 EDT 2012


Call for DEFCON Capture the Flag Organizers Version 2.1

 

Please spread this announcement far and wide!

 

WANTED:

An evil large multinational corporation, or...

An nefarious group of genius autonomous hackers, or...

A shadowy government organization from somewhere in the world

 

TO:

Host, recreate, and innovate the world's most (in)famous hacking contest.

 

WHY:

For everlasting fame, intrusive media interviews, the respect of your peers,
or the envy of your enemies.

 

Do you have what it takes and know what we're talking about?

 

All things must change, and after years of hard work DDTEK has decided that
it is time to let someone else have a chance to run CTF. We will forever
miss their 

crazy videos, clever configurations, and, of course, the sheep! After
growing the DEFCON CTF to become the world series of CTFs and largest
on-site team vs. team 

CTF in the world, DDTEK has officially retired as the organizer and hosts of
DEFCON's CTF. The contest is not over, merely in transition to the next
keepers of the 

flame. This is the opportunity you and your crew, company, or government
have been waiting for!

 

You too can pour your heart, countless thousands of hours into planning,
producing, and executing the world's most famous contest of hacking skills.
All of the 

contests at DEFCON are run by volunteers, and CTF is no different.

 

My intent is to make a game that's fun for its participants. DDTEK did a
fabulous turning DEFCON CTF into the granddaddy of all CTFs while
revolutionizing CTF 

scoring. They took it to new heights, and you can take it too. The heart of
hacking has many facets!

 

CTF is made of many parts from the actual teams, the organizers, observers,
third party supporters, the press, con attendees wanting in on some action,
and those 

newbies wondering WTF.

 

YOUR CONSTRAINTS:

You must design a bad-ass contest. This contest must have a multiplayer /
team aspect, continuing the world series of hacking CTF goal. Your contest
can be based 

on previous games, but shouldn't be a mere replication of previous games.
You can determine the teams/participants before DEFCON through a
pre-qualification phase, 

or at the conference with a first come-first served approach. I would
recommend against this, though, as it would be a logisitical nightmare..
You can have 

multiple contests (for example, one contest with individuals, one with
teams). The contest can be totally electronic, or it can take into account
social 

engineering, physical security bypass, even hardware modification. You
determine the constraints, size of teams, deciding if remote teams can play
- really almost 

everything is up in the air.

 

You design the network topology. You determine the rules. Your group will
determine the winner, and the losers. The idea behind this CFP is not to ask
people to 

reproduce past Capture the Flags, but to have your group reinvent and create
something new, pushing the boundaries based on the same creativity and
energy that CTF 

is known for. Challenge your friends!

 

Something to note: Some groups have come forward wanting to help, but not to
run, with whoever ends up organizing CTF in 2013. One group has really cool
gear and 

experience in control systems, so it would be possible to augment your
contest to include them if you are interested.

 

YOU MUST:

Continue with the World Series concept, a contest to include the winners of
other contests.

 

Clearly communicate the rules to the participants before the contest, set up
clear eligibility requirements (if any) before the conference, set up the
network, 

provide any infrastructure that you wish to be part of the game, referee the
game while it is taking place, create a scoring system that observers can
view to get 

an idea of what is going on, and determine winners. The easier it is for
contestants to understand how to win, the more fair the contest will feel.
The contest 

must end no later than three hours before the end of DEFCON (5pm Sunday) in
order to provide time for final scoring and the awards ceremony.

 

YOU MUST NOT:

Interfere with the DEFCON networks (ie: it must be a separate network),
interfere with the 'live internet', involve non-consensual parties (ie:
anyone who hasn't 

explicitly agreed to take part in the contests), take bribes that are not
equally shared with the DEFCON staff. You must be totally neutral and fair.

 

In the past network traffic on CTF has been captured for later forensic
analysis and shared with the community to further ids and network sniffer
developers. 

Expect that should we want to do this again there is a way to give access to
those wanting to capture traffic while not actively participating in the
contest.

 

 

YOUR SUBMISSION WILL BE JUDGED:

On any innovations or revolutionary enhancements to the game.

On the feasibility of your team getting all the work done (note: we will
publicly humiliate you if you get accepted and fail to perform!)

On the amount of fun that participants will have.

On how your contest contributes to the World Series aspect of the contest.

On how well final winning team really represents those with the best skills
and tech, and not just luck, to come out on top.

 

Once you submit your ideas (Yes you can submit more than one concept) we
will start communicating with you to clarify anything we don't understand.
Feel free to 

ask us questions so you know what you are getting yourself into. A group
that works well together is almost a must. Past organizers did very well
because they had 

a large enough pool of talent to draw upon when building their automated
systems, and the time to test them in advance.

 

RESOURCES WE CAN PROVIDE: 

Badges to the conference and access to the CTF area for setup beginning
Tuesday before the con. Physical space roughly equal to that which has been
provided at 

past DEFCONs. Tables for participants to use. Screens and LCD projectors to
display data with. Network connections from the net if necessary. Some
network gear and 

power strips - please let us know early what you need so we can plan for it.
Prizes for the winning people or teams. If you want to turn the CTF area
into a giant 

free-for-all we can get the power strips and tables. If you want it to be
like years past with up to 20 team tables we can do that too. Want to drop
some clues in 

the printed con program? Want to incorporate some clues or components into
the attendee badges? We can do that too! Winning teams get a maximum of
eight coveted 

Black Badges.

 

We can also provide hotel and some money for your stay at the con as well as
help out with some equipment and gear. While we don't have a fortune for the
CTF we can 

make life easier for the organizers and contestants.

 

NOTE:

If you plan to continue with pre-qualifying teams there basically needs to
be a consistent resource to do this management. Teams will game this
pre-qual system, 

and at this point it seems that the best defense against this is to have a
single person act as a liaison and develop relationships with organizers of
other CTFs

 

DDTEK envisioned that any pre-qualifier that did not place in the top half
at the end of the game two years in a row, would be not be a pre-qualifying
contest the 

following year - that contest obviously does not create a winner capable of
winning DEFCON CTF (instead a different contest would be selected to
pre-qualify).

 

DDTEK carefully selected the prequalified contests based on caliber of game,
history, likeness, etc.

 

RESEARCH POINTERS:

If you haven't been to DEFCON before, you should understand the environment
your contest must operate in! https://www.defcon.org/ will get you started.
These may 

help give you an idea about past contests, what has worked, and what hasn't.

 

DEF CON CTF Website:

https://www.defcon.org/html/links/dc-ctf.html

 

DDTEK website:

http://ddtek.biz/

 

Worldwide CTF tracking site:

http://ctftime.org/

 

Online repositories of various CTF related data:

http://repo.shell-storm.org/CTF/

http://captf.com/

 

Psifertex' Defcon 17 Presentation - Maximum CTF:

http://www.youtube.com/watch?v=-6mI3tp6RxI

https://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-psifer
tex-max_ctf.pdf

 

Ceazar gave a presentation on running hacking contests at Black Hat Asia
(learn from a master):

http://www.blackhat.com/presentations/bh-asia-04/bh-jp-04-pdfs/bh-jp-04-elle
r/bh-jp-04-eller.pdf

 

A rundown of DEFCON 16 CTF by atlas of team l at stplace (DEFCON 14 and 15 CTF
Winners):

http://atlas.r4780y.com/cgi-bin/atlas/2008/08/12

 

Walkthroughs of the last 2006-2009 CTF Competitions :

http://nopsr.us

 

Interview with Def Con CTF Winning Team Member Vika Felmetsger (2005):

http://taosecurity.blogspot.com/2005/08/interview-with-def-con-ctf-winning.h
tml

 

So you want to play a game?

 

HERE IS THE PROCESS:

 

1.Fill out the application below. You will receive an acknowledgment that
your submission was received within 48 business hours of us receiving it
unless we are 

snowed in and the interwebs are broke.

 

2.We will use relatively simple criteria to judge your entry. 1:)
Feasibility of your team pulling it off taking into consideration who is
involved in your team, 

resources you have, etc. 2:) The amount of fun we imagine the participants
will have with your contest, 3:) the coolness or innovation you bring to the
contests.

 

3.We will contact finalists and ask them further questions, and talk over
any questions that we will inevitably have.

 

4.We will announce the winner(s) on as soon as we can after the close of the
CTF CFP date. It could be possible that we will choose multiple teams that
run 

concurrent but different types of contests.

 

5.We will hammer out details over the phone, participating in your game
creation (not interfering with it, just ensuring everything is going
smoothly). We will 

conference call with you and may fly you out to sunny Seattle to meet with
us to discuss planning for the event.

 

6. If you desire their help, DDTEK has volunteered to spend time working
with the selected team, answering their questions, explaining their process
and what they 

learned in designing their game. They have a lot of experience and skill so
this is a resource you will want to take advantage of.

 

APPLICATION:

All contact information will be kept private, and not disclosed outside the
DEFCON planning organization.

 

About you and your group

 

Name of your organization:

 

Name of primary contact:

 

Email Address of Primary contact:

 

Phone number of primary contact:

 

Number of people in your organization (that will actively be participating
in creating/planning/executing CTF):

 

Experience team members have had in planning events (This could be a bake
sale with 500 people, or a DoD briefings for 20 people, something that
indicates some 

planning experience):

 

Technical ability of team. This would include a general list of people's
abilities * networking, hardware, etc and support the idea you can pull this
off:

 

Physical resources (if any) that you will be bringing to help run CTF such
as a disco ball, robots or enigma machines. This to help us plan to
accommodate it with 

the hotel if you require extra power or special fire marshal approval for
your Cray 1 cooling towers.:

 

What experience have your team members had in playing CTF in the past. This
is not a requirement, but shows real-world knowledge of the game as it has
been played 

in the past.:

 

Explain you vision for CTF

-Explain, in a general manner, your vision of your CTF.

 

- Explain how you hope the attendees will experience it. For example, they
sign up on-line, get a secret package in the mail, start blindfolded with an
unusual 

laptop? Are their certain crises points you will introduce during the game
to confuse or add to the pressure?

 

-Provide three reasons your group should host CTF.

 

-How do players or teams qualify (if there are qualifications)?

 

-Is it multi player or single-player, or a combination?

 

-What innovations or new ideas are you bringing to CTF?

 

-How long will the contest take, will it be 24x7, 8 hour shifts, etc?

 

-What technical work is required to execute your plan. This includes setting
up environments beforehand, pre-qualification work if any, writing a scoring
system, 

etc.?

 

-Give an outline of the rules that will be presented to the participants:

 

-Why do you want to do this?

 

-What hardware resources do you request or need from DEFCON?

 

-Explain what you believe is the best way to gauge a hacker's abilities, and
how your vision of the contest could do this?

 

-Tell us anything else that you think may be important or that we might
consider in choosing your group to host CTF.

 

Send 'em in!

 

If you are submitting multiple ideas please make each one a separate email
so when printed and forwarded between judges there is less confusion.

 

Deadline is February 28th, 2013. Submissions go to ctf [at] defcon [d0t] org

 

A discussion area has been created on the DEFCON forums under the DEFCON 21
Events section to cover new ideas, ask for feedback, and get an idea of what
is going 

on.

https://forum.defcon.org/showthread.php?t=13160

 

New announcements will be on the main DEFCON web site as well:

https://www.defcon.org/

 

Feel free to join the discussion, ask people for feedback on your ideas, ask
questions.. use all the resources at your disposal!

 

Thank you!

 

The Dark Tangent

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20121102/a4900101/attachment-0001.html>


More information about the Dailydave mailing list