Registration for 2015 Qualifiers is Open!

Grab ∞ of your leetest friends and get ready for DEF CON CTF qualifications. We're building another great game for you this year, with brain-destroying binaries, super-sick shellcode shenanigans, and challenging fun for you. Register yourself, create or join a team, and get your affairs in order for DEF CON CTF 2015.

Register for DEF CON 23 Capture the Flag qualifiers at https://2015.legitbs.net/ or by clicking here.

DEF CON CTF 2015 Qualification Update: February Edition

Hello!

We'd like to share the current DEF CON CTF 2015 qualification status, two hours before the start of Boston Key Party!

Competition	Start Date	End Date	Link	Notes
DEF CON CTF 2014	May 17, 2014	Aug. 10, 2014	https://legitbs.net/2014/	Qualified the Plaid Parliament of Pwning.
SECCON CTF 2014	Dec. 12, 2014	Feb. 8, 2015	http://ctf.seccon.jp/timeline.html	Qualified TOEFL Beginner.
RuCTFE 2014	Dec. 20, 2014	Dec. 20, 2014	http://ructf.org/e/2014/	Qualified Bushwhackers.
Ghost in the Shellcode	Jan. 16, 2015	Jan. 18, 2015	http://ghostintheshellcode.com/	Qualified Samurai.
Boston Key Party	Feb. 27, 2015	Mar. 1, 2015	http://bostonkeyparty.net	Online jeopardy style game.
PlaidCTF	Apr. 17, 2015	Apr. 19, 2015	http://www.plaidctf.com/	Online jeopardy style game.
DEF CON CTF Qualifiers 2015	May 16, 2015	May 17, 2015	https://legitbs.net/	Online jeopardy style, more information soon!

Congratulations to the teams that have qualified so far, and good luck to all the teams still hacking! Enjoy Boston Key Party, PlaidCTF, and we hope to see you in our qualifiers in May!

Quick Qualification Update

DEF CON CTF qualifications will be held from UTC Midnight at the start of May 16, 2015, to UTC Midnight at the end of May 17, 2015. Forty-eight hours total.

Competition	Start Date	End Date	Link	Notes
DEF CON CTF 2014	May 17, 2014	Aug. 10, 2014	https://legitbs.net/2014/	Qualified the Plaid Parliament of Pwning
SECCON CTF 2014	Dec. 12, 2014	Feb. 8, 2015	http://ctf.seccon.jp/timeline.html	Qualifications round finished, finals in February 2015.
RuCTFE 2014	Dec. 20, 2014	Dec. 20, 2014	http://ructf.org/e/2014/	Finished.
Ghost in the Shellcode	Jan. 16, 2015	Jan. 18, 2015	http://ghostintheshellcode.com/	Finished.
Boston Key Party	Feb. 27, 2015	Mar. 1, 2015	http://bostonkeyparty.net	Online jeopardy style game.
PlaidCTF	Apr. 17, 2015	Apr. 19, 2015	http://www.plaidctf.com/	Online jeopardy style game.
DEF CON CTF Qualifiers 2015	May 16, 2015	May 17, 2015	https://legitbs.net/	Online jeopardy style, more announcements in 2015.

Thanks to skolor for the reminder to update this.

Announcing DEF CON CTF 2015 Qualifying Contests

We are pleased to announce that the following competitions will pre-qualify competitors for DEF CON Capture the Flag 2015. In order of contest start dates:

Competition	Start Date	End Date	Link	Notes
DEF CON CTF 2014	May 17, 2014	Aug. 10, 2014	https://legitbs.net/2014/	Qualified the Plaid Parliament of Pwning
SECCON CTF 2014	Dec. 12, 2014	Feb. 8, 2015	http://ctf.seccon.jp/timeline.html	Qualifications round finished, finals in February 2015.
RuCTFE 2014	Dec. 20, 2014	Dec. 20, 2014	http://ructf.org/e/2014/	Online attack-defense, register now!
Ghost in the Shellcode	Jan. 16, 2015	Jan. 18, 2015	http://ghostintheshellcode.com/	Jeopardy-style, on-site at ShmooCon or play online.
Boston Key Party	Feb. 27, 2015	Mar. 1, 2015	http://bostonkeyparty.net	Online jeopardy style game.
PlaidCTF	Apr. 17, 2015	Apr. 19, 2015	http://www.plaidctf.com/	Online jeopardy style game.
DEF CON CTF Qualifiers 2015	TBA	TBA	https://legitbs.net/	Online jeopardy style, more announcements in 2015.

The best way to get good at Capture the Flag is by playing CTF games, learning what the experience is like, becoming familiar with the flow for solving challenges and writing exploits, and documenting your process. Your road to Vegas, no matter how long it is, starts with competition.

Becoming a DEF CON CTF 2015 Qualifying Competition

Do you run a Capture the Flag or other computer security competition? Want to have that elite prize that brings top-tier competitors? Want to have your winners move on to DEF CON finals? Become a DEF CON CTF 2015 Qualifying Competition!

UPDATED Nov. 17 2014: "Your competition MAY have both offensive and defensive components." The previous version had "SHOULD" there.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Running a Competitive Competition

DEF CON CTF competitors are the best in the world. When less-qualified teams compete, they don’t enjoy the game, and don’t provide a lot of enjoyment for other teams either. Therefore, we must ensure  only the most qualified teams are invited. Our standards are as follows:

1. Your competition MUST be open to all. You MUST NOT restrict entry or winning to students or professionals. You MAY structure your game with separate qualifying and finals events.
2. You MUST NOT charge a fee to competitors, except for normal admission to a conference.
3. Your competition MUST allow teams of at least four people.
4. You MUST publish a final scoreboard within seven days of competition ending.
5. You MUST be able to privately share the winning team’s contact information with us within seven days of competition ending.
6. You MUST NOT publish personal information about competitors for any reason.
7. You MUST NOT announce DEF CON CTF qualifying status prior to a Legitimate Business Syndicate announcement of same.
8. You MUST either have run a competition previously, or be willing to share details and challenge samples with Legitimate Business Syndicate prior to approval.
9. Your competition MAY have both offensive and defensive components.
10. Your competition MAY be either online or local/in-person, or both!

If you don’t or can’t meet these requirements, please don’t ask for an exception. It’s possible we might not be a good fit for your competition as designed, and we don’t want to force you to compromise how you run your event.

Sending a Proposal

Send us an email to [email protected] before Midnight, Dec. 1, 2014 (1417392000) with answers to the following questions:

1. Who is your group?
2. What is your game named?
3. Where and when are you hosting it?
4. How do you design and build challenges?
5. What’s your favorite vulnerability or exploit (CVE-number or well-recognized name)? Why?
6. Do you have a favorite CTF challenge or service? How did you solve it?
7. How do you plan to handle cheating?
8. Have you or members of your team ever organized a CTF before? Provide details.
9. Have you or members of your team participated in a CTF event? Provide details.
10. How many people are involved in the following: challenge writing, game design, infrastructure, and support?

The earlier we get your submission, the earlier we'll read it and form a concrete opinion. Slots are limited. Expect a response by Dec. 9, 2014.

Rules, Disclaimers, and Caveats

1. Legitimate Business Syndicate may terminate your qualifying event status at any time for any reason, including reasons not covered in this document.
2. Competitions that publicly publish personal information about competitors will be forbidden from being qualifying events.
3. Competitions that announce their qualifying event status before a Legitimate Business Syndicate announcement of their status will be forbidden from being qualifying events.
4. Legitimate Business Syndicate reserves the right to use your competition’s name, logo, and description in promotional materials.
5. Legitimate Business Syndicate will not use your or your competitors’ contact information for anything besides internal decision-making and official game communication.

All qualifying competition decisions made by Legitimate Business Syndicate members are final.

2014 DEF CON CTF Final Results

2014 was our second year running DEF CON Capture the Flag, and we're still in shock at how well things went for our players and spectators. Here are our final thoughts about this year's game.

Scoring

This year's scoring mostly worked as documented: each team's instance of a service started with 417 flags, flags remained with the service even as they moved through teams, and teams could in theory come back from their flags on a service zeroing out.

On Friday, we found a bug that caused round-end flag distribution to be run once for each enabled service in a given round, instead of once in a given round. We fixed this Friday afternoon, and re-ran the scoring algorithm over the entire game Saturday. Additionally, we were able to re-run scoring when teams lost SLA checks due to hardware failures on our end.

Final Scores

Team	Score
Plaid Parliament of Pwning	11263
HITCON	7833
Dragon Sector	4421
Reckless Abandon	4020
blue-lotus	3233
(Mostly) Men in Black Hats	2594
raon_ASRT	2281
StratumAuhuur	1529
[CBA]9447	1519
KAIST GoN	1334
Routards	1262
More Smoked Leet Chicken	1248
Binja	1153
CodeRed	997
w3stormz	987
[SEWorks]penthackon	979
BalalaikaCr3w	937
Gallopsled	921
shellphish	899
HackingForChiMac	546

The Badge

The DEF CON 22 CTF badge ran two openMSP430 cores, one for the radio, and one for the vulnerable "badger" service. The PCB was fabricated in the USA by OSHPark. The badges were hand assembled at our secret lab by Jymbolia, Duchess, Gyno, and Sirgoon. The team badge and server software was written by Sirgoon and the VIP badge software was written by grumpybear, using Adafruit LCD graphics libraries.

We would like to apologize to the two-year champions, PPP. An off-by-one error in our badger backend code made it impossible for team id 0 (PPP) to score correctly. They had a working exploit before the end of day 2, but were unable to score any points because of this.

Visualizations

The biggest draw to our room this year was the attack visualization by Hoju and Lightning, which ran Saturday and Sunday.

Each box represents a team, and their physical position within the room. The projectiles represent successful attacks from the launching team against the exploding team. On Saturday morning, the colors of the line indicated which service they were for. However, we found out that at least one team dedicated a player to watching this display as part of a forbidden defensive strategy, and Saturday afternoon and evening, we switched the colors to be random.

On Sunday, we replayed the Friday and Saturday event streams with per-service colors.

Video Content

Historically much of the CTF video content that's been played at DEF CON was extremely sexualized, and would get an R or NC-17 rating in theaters. With the DEF CON audience diversifying, maturing, and simultaneously getting younger, this material is leading to awkwardness, discomfort, embarrassment, offense, and rightful public criticism.

We're not sure what the solution will be: more family-friendly music videos that keep with the DEF CON CTF aesthetic, fewer music videos, more visualizations, or (almost certainly) a combination of these.

Know that it is a problem with many of us at Legitimate Business Syndicate, and we hope we'll do better next year.

Open-Source Releases

We're planning on open-sourcing most of the vulnerable services from both our qualifiers and final games this year, as well as the registration and scoring systems for both. We hope to have these out in September.

Looking Forward

We're taking the next several months to relax and plan for 2015. If you're interested in Capture the Flag, check out CTF Time for information about other games that'll help you practice and prepare. Keep an eye on the Legitimate Business Syndicate blog and Legitimate Business Syndicate on Twitter for more DEF CON CTF news.

See you in 2015!

Two Weeks until 2014 Finals

Fewer than two weeks until our finals game kicks off at DEF CON 22 in sunny Las Vegas, Nevada.

If you're competing:

Subscribe to this blog and @legitbs_ctf on Twitter for updates. We'll email you about truly important coordinating stuff, but there will be supplemental stuff here.

If you're spectating:

See you in Vegas!

The CTF room will be open for everyone to drop by, watch videos, gawk at teams, and enjoy a DJ set or two throughout the contest. Enjoy yourself, but please be respectful and do not interrupt hackers at work. Do not photograph screens. Above all, don't be a jerk. If you have questions about the contest, talk to a member of Legitimate Business Syndicate. Competitors may be willing to talk when they are not engrossed in the game.

Our room is in the same location in 2013. If you're not completely sure where that is, check the conference program when you get your badge, and this year's DEF CON 22 maps should be available online soon.