2014 was our second year running DEF CON Capture the Flag, and we're still in shock at how well things went for our players and spectators. Here are our final thoughts about this year's game.
This year's scoring mostly worked as documented: each team's instance of a service started with 417 flags, flags remained with the service even as they moved through teams, and teams could in theory come back from their flags on a service zeroing out.
On Friday, we found a bug that caused round-end flag distribution to be run once for each enabled service in a given round, instead of once in a given round. We fixed this Friday afternoon, and re-ran the scoring algorithm over the entire game Saturday. Additionally, we were able to re-run scoring when teams lost SLA checks due to hardware failures on our end.
|Plaid Parliament of Pwning||11263|
|(Mostly) Men in Black Hats||2594|
|More Smoked Leet Chicken||1248|
The DEF CON 22 CTF badge ran two openMSP430 cores, one for the radio, and one for the vulnerable "badger" service. The PCB was fabricated in the USA by OSHPark. The badges were hand assembled at our secret lab by Jymbolia, Duchess, Gyno, and Sirgoon. The team badge and server software was written by Sirgoon and the VIP badge software was written by grumpybear, using Adafruit LCD graphics libraries.
We would like to apologize to the two-year champions, PPP. An off-by-one error in our badger backend code made it impossible for team id 0 (PPP) to score correctly. They had a working exploit before the end of day 2, but were unable to score any points because of this.
The biggest draw to our room this year was the attack visualization by Hoju and Lightning, which ran Saturday and Sunday.
Each box represents a team, and their physical position within the room. The projectiles represent successful attacks from the launching team against the exploding team. On Saturday morning, the colors of the line indicated which service they were for. However, we found out that at least one team dedicated a player to watching this display as part of a forbidden defensive strategy, and Saturday afternoon and evening, we switched the colors to be random.
On Sunday, we replayed the Friday and Saturday event streams with per-service colors.
Historically much of the CTF video content that's been played at DEF CON was extremely sexualized, and would get an R or NC-17 rating in theaters. With the DEF CON audience diversifying, maturing, and simultaneously getting younger, this material is leading to awkwardness, discomfort, embarrassment, offense, and rightful public criticism.
We're not sure what the solution will be: more family-friendly music videos that keep with the DEF CON CTF aesthetic, fewer music videos, more visualizations, or (almost certainly) a combination of these.
Know that it is a problem with many of us at Legitimate Business Syndicate, and we hope we'll do better next year.
We're planning on open-sourcing most of the vulnerable services from both our qualifiers and final games this year, as well as the registration and scoring systems for both. We hope to have these out in September.
We're taking the next several months to relax and plan for 2015. If you're interested in Capture the Flag, check out CTF Time for information about other games that'll help you practice and prepare. Keep an eye on the Legitimate Business Syndicate blog and Legitimate Business Syndicate on Twitter for more DEF CON CTF news.
See you in 2015!