Final Writeup


We're absolutely and completely thrilled at the response to our game this year! As we said during the closing ceremonies, we're honored and proud that you all competed with us, and would like once again to thank:

  • Dark Tangent and the other DEF CON organizers, for supporting our plans to host.
  • The DEF CON Goons, for helping make the contest in Vegas a fun and enjoyable venue.
  • The twenty teams that competed in finals, for running a friendly, honorable, and skillful game. You all did a great job, no matter where you ended up on the scoreboard.
  • The 898 teams that competed in the qualifying game in June, for your spectacular show of skill in solving our challenges over 2400 times.
  • And last, but certainly not least, we'd like to thank our friends, families, and significant others, for forgiving our long nights and exhausting weekends over the last several months.

While we did get a small chance to explain the game during closing ceremonies on Sunday night, we'd like to share a more detailed and thoughtful set of results.

Zero Sum

The finals game this year was zero-sum: the game started with 50,000 flags, allocated 2500 per team. It ended with 50,000 flags, although less evenly distributed. Capturing a token would net you an even share of the nineteen flags that token was worth, with "remainder flags" being reallocated later.

What this meant for the game flow was a terrible calculus for leading teams. Teams with no flags will obviously not be very lucrative targets. Teams with large stockpiles of flags were also more likely to turn any exploit launched at them around as a new attack, devaluing the exploit.

Teams competent at attacking but not focused on defense saw massive flag losses that they, generally, weren't able to capture them back quick enough.

One Hour Left

With an hour left in the game Sunday afternoon, we had PPP at the top of the leaderboard, followed by "men in black hats" and "raon_ASRT," who had finished Saturday with shockingly close scores. The black-hatted gentlemen were leading by fewer than 240 flags, which meant that the Korean team might be able to mount a comeback for the second place.

Unfortunately, it was not to pass. Most of the teams stayed in the same relative standings during the game's final hour, and the top end of the scoreboard bled even more flags from the lower portions: PPP managed to capture over a thousand flags in the last sixty minutes.

As the final bars of Europe's "The Final Countdown" echoed through the room, we confirmed to ourselves the final top three:

  1. PPP
  2. men in black hats
  3. raon_ASRT

Two Mistakes

We made a few mistakes and misjudgements during the game, from network settings causing a few captured tokens to expire without capture, to scoring logic errors that left Legitimate Business Syndicate with an incredible number of flags, we have a few things to fix next year. The two mentioned mistakes have an impact on game scoring.

The misconfigured network caused teams to be incorrectly throttled in their connections to the REST API that redeemed tokens for flag captures. This meant that some teams weren't able to redeem captured tokens due to the busy and hostile network environment. Since this was discovered on Sunday morning, after a long night of discovering new vulnerabilities, it was especially painful.

We have reprocessed those expired tokens based on logs and scorebot data, since they disproportionately and unfairly affected individual teams unevenly. They are included in the final results.

The scoring logic error that left remainder flags in our possession affected all teams equally; while this may have resulted in different scores, we believe that not only did it affect all teams equally and fairly, we also hold that changing this would invalidate many teams' actions during the game. All twenty competing teams played the game as implemented, not the game we wish we did after the fact.

We have not factored the missing remainder flags into the final results.

Three Observations

  1. Each token was worth nineteen points, split between every team that redeemed it. Fourteen teams figured out that if they redeemed their own tokens, they'd deprive other teams of valuable flags.

  2. Non-virtualized team hardware removed most of our concerns about CPU starvation due to malicious action. The remaining concerns were based on cooling capacity and reduction thereof when the lid was off the box holding team hardware.

  3. Teams with fewer than fifty flags are pretty much a rounding error: since we processed captures and SLA failures sequentially instead of in parallel, whether or not they were rewarded for captures or penalized for getting owned last was displayed in their score, although they didn’t have control of this.

What's Next

We'd like to get more data out to you soon! Check back this weekend.

We'd also like to get next year's game scheduled. Check back when we've had a long vacation.

We'd love any links, thoughts, rants, writeups, and so on that you have about this year's game. Tweet them at @legitbs_ctf or email them to [email protected].

Links and Other Information