2013 Visual Branding: Quals

The 2013 season is in its final throes of winding down, so I thought I'd share some information about the visual branding we used.

From the beginning, we decided to pass on the vintage hacker standard of bright text on a black background: it's definitely a look, but it's hard to do something exceptionally legible with it that has any character at all. Gynophage came up with the idea of something that looked like a Japanese game show. There's tons of reasons to love it: clips from Japanese game shows have been favorites for the distraction screens in previous years, so it's not unfamiliar, there's a wide variety of motifs and colors to be used, and we don't know of other games that used this visual style.

Within hours of this suggestion I'd cooked up a rough draft in HTML: a weird salmon background, Katakana at a weird angle, parchment behind text, and an intent to have both English and Japanese text for most of the body copy.

We were also using the "Ubuntu" font family from said Linux distribution: it's a readable but distinctive sans-serif font, is available in a shit-ton of different weights, has condensed and monospaced variants, and is available on Google Web Fonts to make it work on your web browser.

This was pretty anemic feeling though; it was too "Easter Sunday," not enough "watch this pizza driver get battered and pummeled until they fall off a balance beam."

I spent a little time in Photoshop farting around with colors, and came up with this ghastly mix of a strawberry linen texture, yellow, and parchment that stuck with us.

Astute readers will notice the nonsense Japanese text for our logo. We hemmed and hawed about it, and I spent a lot of time punching synonyms of "Legitimate Business Syndicate" into Google Translate, until landing on "true company," which turns into four glyphs. I felt that four glyphs worked the best visually.

The grey login box kinda sucked, as did the copyright bullshit at the bottom.

I made a salmon and white striped texture and used that on the login box. Here you can see it in its native habitat, aliasing poorly when rotated at a small angle because I hadn't figured out the difference between 2D and 3D rotation in browser-land.

We also had screens for the full "Create Account" flow, and a dashboard where you could create or join teams, but they were relatively simple.

I spiked out the quals gameboard on January 4. The huge overbearing logo didn't last, but the Jeopardy board, message box, and the actual scoreboard did.

Having played on a university team, I also knew the importance of having the scoreboard fit on a low-resolution (800x600) projector, and that I could do it pretty easily with a media query.

On March 7, 2013, we found out we won the bid to host DEF CON Capture the Flag.

We went public with an announcement on March 23, and a schedule on April 1, as is tradition. For our schedule, we designed another kind of box, the blue grid, for the schedule and other calendar-y things. Part of the schedule was a list of other CTF events happening in June, because we love you.

During the run-up to quals, I spent a lot of time dithering about challenges (and not much time writing them), and only in the last month or so polished up the scoreboard to be ready to go live.

Revisiting the gameboard, we loved the angled leaderboard, decided we didn't want to wear out the logo, and absolutely hated my awful colors.

Consider the quals game flow: all problems are locked at the beginning, solved problems are solved, unsolved but unlocked problems are open, and the most recently unlocked problem is "hot." The "hot" problem has a special status. We need to communicate all four states clearly.

The first thing I did was get rid of the old terrible colors, and replace them with a flat strawberry color.

Then I added an absolutely vile green for the solved problems.

I hooked up some data, toned down the pink and green, textured the green with check-marks (solved!), and started work on the challenge window. The "hot" visual showed up here for the first time, being a crimson.

I wanted to bring back some fun to the style without being as retina-burning as the neon green and pink atrocities previously committed. The obvious treatment for "hot" challenges is something hot, like fire.

Animated fire.

We added a couple more textures: pink hearts for unlocked problems, dark cherry 'X' marks for locked problems.

The only changes after that were cutting the number of categories down to five, putting a clock at the top of the leaderboard, and actually running the damn game.

Quals Statistics

Lines of Sass	583
Bytes of minified CSS	10865
CSS "float" declarations	11
Inline style attributes	0
Favorite CSS declaration	tie between "padding" and "width"

Open-Source Tools Used

bourbon by Thoughtbot, a nice set of Sass mixins that made dealing with cross-browser transforms easier.
Sass by the Sass team, for mixins, variables, and all the other features missing from CSS.
Haml by the Haml team, because I fucking hate closing tags.

2013 Finals Scorebot SQL Download

"I want to download and audit the Scorebot from DEF CON 21 CTF."

Download file

###     #######   ##### ### ####### ### ######    ##    ####### #######
###     #######  ###### ### ####### ### #######    ##   ####### #######
###             ###     ###         ### ##   ##    ##
###     ####### ##  ### ### ###     ### ## # ##  ## ##  ###     #######
###     ###     ###   # ### ###     ### ## # ##  ## ##  ###     ###
####### #######  ###### ### ######  ### ## # ## ##   ## ######  #######
####### #######   ####  ###  #####  ### ## # ## #######  #####  #######

######  ##   ##  ####   ### ######  #######  ####    ####
    ### ##   ##  ###    ### ####### #######  ###     ###
    ### ##   ##   ###   ### ##  ###           ###     ###
######  ##   ##    ###  ### ##   ## #######    ###     ###
    ### ###  ##     ### ### ##   ## ###         ###     ###
    ### ####### ####### ### ##   ## ####### ####### #######
######   ###### ######  ### ##   ## ####### ######  ######

 ####   ##   ## ######  #####   ###   #####   ##    ####### #######
 ###    ### ### ####### ######  ###  ######    ##   ####### #######
  ###   ####### ##  ###     ### ### ###        ##
   ###   #####  ##   ## ##   ## ### ##       ## ##  ###     #######
    ###         ##   ## ##  ### ### ###      ## ##  ###     ###
#######   ###   ##   ## ######  ###  ###### ##   ## ######  #######
######    ###   ##   ## #####   ###   ##### #######  #####  #######

▒█▀▀█ ▒█▀▀█ ▒█▀▀▀ ▒█▀▀▀█ ▒█▀▀▀ ▒█▄░▒█ ▀▀█▀▀ ▒█▀▀▀█ ▄ 
▒█▄▄█ ▒█▄▄▀ ▒█▀▀▀ ░▀▀▀▄▄ ▒█▀▀▀ ▒█▒█▒█ ░▒█░░ ░▀▀▀▄▄ ░ 
▒█░░░ ▒█░▒█ ▒█▄▄▄ ▒█▄▄▄█ ▒█▄▄▄ ▒█░░▀█ ░▒█░░ ▒█▄▄▄█ ▀ 

╭━━━┳━━━┳━━━╮╭━━━┳━━━┳━╮╱╭╮╭━━━╮╭╮
╰╮╭╮┃╭━━┫╭━━╯┃╭━╮┃╭━╮┃┃╰╮┃┃┃╭━╮┣╯┃
╱┃┃┃┃╰━━┫╰━━╮┃┃╱╰┫┃╱┃┃╭╮╰╯┃╰╯╭╯┣╮┃
╱┃┃┃┃╭━━┫╭━━╯┃┃╱╭┫┃╱┃┃┃╰╮┃┃╭━╯╭╯┃┃
╭╯╰╯┃╰━━┫┃╱╱╱┃╰━╯┃╰━╯┃┃╱┃┃┃┃┃╰━┳╯╰╮
╰━━━┻━━━┻╯╱╱╱╰━━━┻━━━┻╯╱╰━╯╰━━━┻━━╯
╭━━━┳━━━┳━━━┳━━━━┳╮╱╭┳━━━┳━━━╮
┃╭━╮┃╭━╮┃╭━╮┃╭╮╭╮┃┃╱┃┃╭━╮┃╭━━╯
┃┃╱╰┫┃╱┃┃╰━╯┣╯┃┃╰┫┃╱┃┃╰━╯┃╰━━╮
┃┃╱╭┫╰━╯┃╭━━╯╱┃┃╱┃┃╱┃┃╭╮╭┫╭━━╯
┃╰━╯┃╭━╮┃┃╱╱╱╱┃┃╱┃╰━╯┃┃┃╰┫╰━━╮
╰━━━┻╯╱╰┻╯╱╱╱╱╰╯╱╰━━━┻╯╰━┻━━━╯
╭━━━━┳╮╱╭┳━━━╮╭━━━┳╮╱╱╭━━━┳━━━╮
┃╭╮╭╮┃┃╱┃┃╭━━╯┃╭━━┫┃╱╱┃╭━╮┃╭━╮┃
╰╯┃┃╰┫╰━╯┃╰━━╮┃╰━━┫┃╱╱┃┃╱┃┃┃╱╰╯
╱╱┃┃╱┃╭━╮┃╭━━╯┃╭━━┫┃╱╭┫╰━╯┃┃╭━╮
╱╱┃┃╱┃┃╱┃┃╰━━╮┃┃╱╱┃╰━╯┃╭━╮┃╰┻━┃
╱╱╰╯╱╰╯╱╰┻━━━╯╰╯╱╱╰━━━┻╯╱╰┻━━━╯

  ##       ###   #         ###     ## ##   ##  #   ###
 ## #     # ###  #         ####    ## ##   ## ##   ## ##
 ##      ##  ##  ##        ## ##   ##  ##  ######  ##  ##
  ####   ##   ## ##        ##  ##  ##  ##  #### #  ##  ##
      ## ##  # # ###       ##   ## ##   ## ## # ## #####
 ###  ## ###  #  ###       ##   ## ###  ## ##   ## ##
  #####    ### # #######   ######   #####  ##   ## ##

          FOR POSTGRES 9.2-COMPATIBLE DATABASES

Installation instructions for Postgres 9.2:

> createdb scorebot_production
> psql scorebot_production < scorebot_production.1376266721.sql
> psql scorebot_production

scorebot_production=# select id, name from teams order by name asc;
 id |             name
----+-------------------------------
 13 | 9447
 18 | APT8
 19 | Alternatives
 21 | Legitimate Business Syndicate
  2 | PPP
 20 | Robot Mafia
  1 | Samurai
  6 | The European Nopsled Team
 12 | WOWHacker-BI0S
  3 | [Technopandas]
  8 | blue lotus
 15 | clgt
 14 | men in black hats
  7 | more smoked leet chicken
  5 | pwnies
 17 | pwningyeti
  4 | raon_ASRT
  9 | routards
 10 | shell corp
 11 | shellphish
 16 | sutegoma2
(21 rows)

An Entity Relationship Diagram is made available for your perusal.

THIS SQL DUMP IS PROVIDED UNDER THE CREATIVE COMMONS CC0 LICENSE

To the extent possible under law, Legitimate Business Syndicate has waived all copyright and related or neighboring rights to the DEF CON 21 CTF SQL dump. This work is published from: United States.

http://creativecommons.org/publicdomain/zero/1.0/

Responses to Feedback

Mystical greetings.

We've received a lot of feedback about the game we hosted this year. We would like to address a few of the loudest and most heard pieces of feedback we received. However, we'll first tell you what other resources we're releasing in the coming weeks:

Finals database of tokens, captures, availabilities, and so on; out now, you can torrent it.
Quals binaries we didn't release.
Final binaries and Team 21 image.
Final availabilities checks.
Network packet captures; for the sake of teams that used our internet access, we're filtering their private data out.
Toolchain for any applicable binaries, including "reeses."

Zero Sum doesn't provide granularity at the low end.

This is true. We know that it’s hard to explain to your parents and friends what exactly is going on if you're hugging 0 points along with a few other teams. It was assumed by con attendees that many of the teams on the bottom of our scoreboard were simply not trying—THIS IS NOT THE CASE. We promised fewer, harder services, and we delivered on that. Even the teams at the bottom of our board are among the best in the world at what they do.

We’ll provide more information next year, although don’t count on us to change the algorithm.

The team size limitation is bogus.

Some of the team size limitation comes from fear of failure—fear that we couldn't deliver services that were truly deeper and harder. By allowing fewer people into the game, we got to cover our bases on the other side, and still hold hope that the game would last all weekend, even if we slipped on the difficulty of the game.

While that worked, we found out that many teams use DEF CON CTF as a social event for their entire team. While we still don't agree that it is the appropriate venue for training junior members, we are receptive to the social aspect many of the teams were expecting.

Some teams had hardware to run services, others didn't.

Some teams also brought bigger monitors, shower curtains, and a home-brewed laptop with obnoxious color LEDs; not to be crass, but many of the teams that prioritized bringing tons of hardware didn’t do so well. Being prepared is less important than being flexible.

The game has never been hosted on ARM, and no teams could have known with any certainty what architecture the game would or wouldn’t be hosted on. Some of the ARM challenges in quals might have foreshadowed ARM at finals. Many teams went and purchased ARM machines such as Chromebooks to overcome this, and more frugal teams simply used qemu to overcome this.

Ubuntu: apt-get install qemu-user-static lxc && lxc-create -n ctf -t ubuntu -- -a armhf

If we host on something that you can’t buy cheaply and emulate for free, we’ll let you know with plenty of lead time.

The music in the room wasn't loud enough.

We understand the spectacle of watching people give up their conference to compete at this level, and know quite well that music and videos make this more fun for spectators. However, we also have to worry about our competitors: CTF is hard enough without interruptions or listening to “Satisfaction” at a bone-rattling volume once an hour.

In years past, the volume has been so high that competitors were unable to filter it, even with a combination of ear plugs and noise reduction headphones. We certainly want everybody who comes by our room to have a good time and be entertained, be it competitors, team runners, or spectators. We are open to ways to keep the CTF floor entertaining, but it has to be in a format that doesn't impact the teams who are playing.

With that said, we’ve got some plans for next year: fix bugs, more metrics, more visuals, even harder services, and anything else that we believe will make the game better for you.

Once again, we would like to thank all teams for their involvement in our game, as well as everybody that placed their trust in us to be good shepherds of a long held DEF CON tradition. We hope that in the future we can continue to deliver the same quality game that will make everybody involved proud to be a part of it. Thank you to the community for welcoming us, being such good sports, and providing us with the feedback we need to bring you the best game we can in 2014. Good luck, and we'll see you then.

PPP AMA DEF CON CTF TLA

Many members of PPP, 2013 DEF CON CTF champions, are participating in an AMA ("Ask Me Anything," like a group interview) on Reddit: We are the Plaid Parliament of Pwning. Ask Us Anything!

Final Writeup

Hello!

We're absolutely and completely thrilled at the response to our game this year! As we said during the closing ceremonies, we're honored and proud that you all competed with us, and would like once again to thank:

Dark Tangent and the other DEF CON organizers, for supporting our plans to host.
The DEF CON Goons, for helping make the contest in Vegas a fun and enjoyable venue.
The twenty teams that competed in finals, for running a friendly, honorable, and skillful game. You all did a great job, no matter where you ended up on the scoreboard.
The 898 teams that competed in the qualifying game in June, for your spectacular show of skill in solving our challenges over 2400 times.
And last, but certainly not least, we'd like to thank our friends, families, and significant others, for forgiving our long nights and exhausting weekends over the last several months.

While we did get a small chance to explain the game during closing ceremonies on Sunday night, we'd like to share a more detailed and thoughtful set of results.

Zero Sum

The finals game this year was zero-sum: the game started with 50,000 flags, allocated 2500 per team. It ended with 50,000 flags, although less evenly distributed. Capturing a token would net you an even share of the nineteen flags that token was worth, with "remainder flags" being reallocated later.

What this meant for the game flow was a terrible calculus for leading teams. Teams with no flags will obviously not be very lucrative targets. Teams with large stockpiles of flags were also more likely to turn any exploit launched at them around as a new attack, devaluing the exploit.

Teams competent at attacking but not focused on defense saw massive flag losses that they, generally, weren't able to capture them back quick enough.

One Hour Left

With an hour left in the game Sunday afternoon, we had PPP at the top of the leaderboard, followed by "men in black hats" and "raon_ASRT," who had finished Saturday with shockingly close scores. The black-hatted gentlemen were leading by fewer than 240 flags, which meant that the Korean team might be able to mount a comeback for the second place.

Unfortunately, it was not to pass. Most of the teams stayed in the same relative standings during the game's final hour, and the top end of the scoreboard bled even more flags from the lower portions: PPP managed to capture over a thousand flags in the last sixty minutes.

As the final bars of Europe's "The Final Countdown" echoed through the room, we confirmed to ourselves the final top three:

PPP
men in black hats
raon_ASRT

Two Mistakes

We made a few mistakes and misjudgements during the game, from network settings causing a few captured tokens to expire without capture, to scoring logic errors that left Legitimate Business Syndicate with an incredible number of flags, we have a few things to fix next year. The two mentioned mistakes have an impact on game scoring.

The misconfigured network caused teams to be incorrectly throttled in their connections to the REST API that redeemed tokens for flag captures. This meant that some teams weren't able to redeem captured tokens due to the busy and hostile network environment. Since this was discovered on Sunday morning, after a long night of discovering new vulnerabilities, it was especially painful.

We have reprocessed those expired tokens based on logs and scorebot data, since they disproportionately and unfairly affected individual teams unevenly. They are included in the final results.

The scoring logic error that left remainder flags in our possession affected all teams equally; while this may have resulted in different scores, we believe that not only did it affect all teams equally and fairly, we also hold that changing this would invalidate many teams' actions during the game. All twenty competing teams played the game as implemented, not the game we wish we did after the fact.

We have not factored the missing remainder flags into the final results.

Three Observations

Each token was worth nineteen points, split between every team that redeemed it. Fourteen teams figured out that if they redeemed their own tokens, they'd deprive other teams of valuable flags.
Non-virtualized team hardware removed most of our concerns about CPU starvation due to malicious action. The remaining concerns were based on cooling capacity and reduction thereof when the lid was off the box holding team hardware.
Teams with fewer than fifty flags are pretty much a rounding error: since we processed captures and SLA failures sequentially instead of in parallel, whether or not they were rewarded for captures or penalized for getting owned last was displayed in their score, although they didn’t have control of this.

What's Next

We'd like to get more data out to you soon! Check back this weekend.

We'd also like to get next year's game scheduled. Check back when we've had a long vacation.

We'd love any links, thoughts, rants, writeups, and so on that you have about this year's game. Tweet them at @legitbs_ctf or email them to [email protected].

Links and Other Information

Legitimate Business Syndicate on Twitter: we tweet a lot.
Quals Scoreboard Data Dump: Who answered what, when.
DEF CON Forums: this is totally a good place to post writeups.

Hacklemore

Finals 2013 Public Handout

You have entered the Capture the Flag room, site of the premier head-to-head hacking competition. In front of you are the top 20 hacker teams from around the world who beat out 878 other teams in an online qualifier to make it here.

The game’s idea is simple. Attack other teams and steal their flags. Defend your system from being attacked. A balanced offense and defense will give each team the best chance to win.

Each team can see all 19 other teams on the network and may attack at any time. Each team is given multiple services that must be kept running. Each service may contain vulnerabilities which other teams can exploit to steal flags. Good defense involves finding vulnerabilities and patching them to prevent their flags from being stolen.

The current score is displayed on one of the two overhead projectors. You can see how the game is trending and if any teams have pulled away from the pack.

Similar to wild animals, the hackers should not be poked or taunted. Please leave them to their hacking. If you have a question, please come talk to a member of the hosting group, Legitimate Business Syndicate. We’re wearing the [logo] shirts.

The winner will be announced at the DEF CON closing ceremonies on Sunday evening. The winning team will receive eight black badges (lifetime DEF CON admission) and the admiration of their peers. Please join us at the ceremony in congratulating the winning team. They’ll deserve it!

Think you’re elite enough to compete? Check https://legitbs.net/ in the coming months for information about next year’s qualification rounds, and…

____ ___ ______!

Finals 2013 Rules

You're competing in the DEF CON CTF game because you enjoy difficult challenges and you want to win the game, so please play the game as we have presented it. Know that all teams will be facing the same difficulties and we ll be enforcing the same rules on all.

The DEF CON CTF game is designed to test each team's ability to protect and attack a prescribed set of services over a network. Physical attacks, rooting your jail, and attacking our game infrastructure are all out of bounds.

The listed rules are simple. The rules are not to be gamed. Need clarification? Please ask.

Eight (8) people per team.
- No swapping.
Do not attack infrastructure.
No physical attacks.
Tables will be organized with team privacy in mind. Use the provided stanchions and ropes to prevent spectators from getting behind your tables.
- If someone is bothering your team, ask them to leave or tell us
Time spent breaking your jail is time wasted. This is not the competition to throw your Linux 0-day. Breaking out is an accomplishment and we ll congratulate you on it, but we ll also take it away and make you stop. Don t waste your time.
- Rooting your box breaks the game in a number of ways and we consider the jail to be a part of our infrastructure.
Team captains speak for their team.
- A captain token will be given to each team
- No person approaching the organizer s table without a captain token can make decisions for their team
- Protect your captain tokens
Your team's client certificate and private key submits flags and uses the scoring system for your team.
- Protect your private key; we can revoke a client certificate but only with the captain token.

Penalties

Warning
Loss of flags
Network cables cut

Scoring

The purpose of the game is to defend your services (keep other teams from taking your tokens) and to attack other teams' services (and steal their tokens).
Steal tokens to win flags.
Keep your services protected and functioning to keep flags.
You'll have SSH keys and HTTPS client certs (provided by us) to log in to your system and the scoring system. Bring a drive that can read CD-R discs. It s okay if it s built in.

Flags vs Tokens

Tokens are long alphanumeric strings you steal from another team's box and submit to the scoring server.
Flags are the points you see on the scoreboard.
- When you submit another team's token, it will be worth a certain number of flags. Your score will go up by the number of flags the token was worth.

Flags

This game will be zero-sum; the total number of flags in the game will remain the same.

When you steal flags from another team, they lose flags.
Each stolen flag will be placed in a bin for the same service it was stolen from.
- Those flags can be lost again through that service when it is exploited by others.
Given enough time, it is possible to lose all flags for a service.
- There will be nothing left to steal from you until you steal flags from another team.

You will score flags in the following way:

Exploit a team's service and steal their token. Submit their token to the scoring server.
You will score 19/N flags, where N is the number of teams who also scored on the same team/service combination.
Example: You steal and submit a token from team BAR s service X, and so did two other teams during the same scoring period. You will get 19/3 (6) flags.

You will lose flags in the following ways:

Another team exploits your service and steals a token. You will lose 19 flags for this. If more than one team score on the same service, they split the 19 flags.

Example: If your X, Y, and Z services all get exploited in the same round, you lose 19 flags from each service s bin (assuming you have flags left to lose).

Your service fails an SLA check. You will lose 19 flags for this (distributed evenly to all other teams who still have that service up).

Scoring Period

Tokens change every scoring period.
Each token can only be redeemed once per team.
The scoring period may be changed throughout the game.

SLA

Once during every scoring period:
- All teams services will be checked for responsiveness
- All submitted tokens to the scoring server will be tallied
- All earned and lost flags will be allocated.

Network

There is ONE network cable to connect your team to the game network
Each team has its own dedicated /24
Your subnet is 10.5.<your team #>.0/24
- The default gateway is 10.5.<your team #>.1
- Internet access is provided by the DEF CON network; availability may vary.
- You can use 10.5.<your team #>.1 as a nameserver
- A DHCP server will provide addresses to you in the .100 - .200 range if you choose to accept them
Your vulnerable image is running at 10.5.<your team #>.2
Packet captures are available from the server at 10.5.<your team #>.3 (more about this below)
You can assign any other IP address on your subnet if you want a static IP
SSH is the only port blocked between teams.

Network Captures

We will provide packet captures to you with a 10 minute delay
Each capture file will contain 5 minutes worth of data and will be named latest.cap
Captures can be obtained by SFTP-ing to 10.5.<your team #>.3 using the capture ssh key pair provided on the CD
- The key pair files are named based on your team name and that name is the username for the SFTP connection to the capture server
- So, for example, if your capture SSH key pair on your CD was named xxx-capture and you are team 30, then you would get the latest capture file by running:
  - sftp -i xxx-capture [email protected]:latest.cap .
- SSH shell access to the capture server is not permitted. You must use SFTP to copy your latest capture file.

Vulnerable Image

You can ssh to your vulnerable image at the start of the game using the username ctf and using the SSH key pair named <teamname>-vuln provided to you on the CD
Your ctf user has group membership and sudo access to all of the game service users
You do not have root access on this image
All services must be run from the provided image

Legitimate Business Syndicate