lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 13 Apr 2012 12:47:28 +0200
From: Roman Medina-Heigl Hernandez <roman@...labs.com>
To: FD <full-disclosure@...ts.grok.org.uk>
Cc: dtangent@...con.org, dailydave@...ts.immunitysec.com
Subject: Re: Amongst data breaches and misc 'leakage',
 not necessarily digital, DEFCON CTF continues at DEFCON XX

Since years, I'm actively participating in CTFs (mostly playing but also
organizing some of them) and I'm member of a well-known CTF team... So let
me throw some constructive words about CTFs in general and Defcon's in
particular. Inline response/comments following:

Vulcan DDtek escribió:
> DT asked DDT to grow the CTF.  So we have.  We are pre-qualifying
> winners of other CTFs around the globe to bring a smackdown of epic
> proportions this August.
> 
> As always, last year's champion, the Euopean Nopsled Team, is granted
> automatic entry.  There are so many CTFs on the
> circuit these days, we seek to incorporate only the best of the best.

If so, why are you running quals almost exactly when Phdays CTF final is
being held? Many teams will be flying back home on Sunday (Jun, 3th).
Impossible to join Defcon quals (apart from the fact that two consecutives
CTFs is too much time-consuming and effort).

Summarizing, you're going to miss really good teams like:
http://www.phdays.com/participants.asp

> Last year the iCTF and Codegate winners demonstrated that winners of
> these CTFs were worthy of returning, additionally we invite victors
> from NCCDC, HitB, PhDays, nuit du hack, ruCTF, and Defcon 19 oCTF.

Again, if you're considering PhDays as a good CTF event, it makes no sense
to "intersect" with them.

> While DEFCON refuses to sell-out to corporate sponsorship, DT is
> personally covering two rooms per team at the majestic RIO hotel
> Thursday-Sunday for each team.

It's better than nothing but not enough (IMHO). Please, learn from other
"big" CTF events like Codegate. Only the flight for a non-US citizen could
be 1000 EUR. If "the player" must cover flight, accomodation and even
Defcon entrance (omg, this is hilarious!), then what are the benefits/pros
of competing at Defcon CTF? Only "fame", I guess (because there are no
prizes either). A very expensive fame, I'd add (again, IMHO) :)

> In honor of DC XX we're upping the number of tables in Vegas to 20
> total.  Yes, when the dust clears the _20_ best will be invited to

It's going to be the Jungle :) Hope there's no network or scoring problems
like other years... Btw, IMHO, scores should be up and visible for all
(public) during *all* the game in order to have some minimal guarantee of
fair game.

Another point: is it fair some teams have literally a troop of players
"helping" from their room/internet, etc at Defcon final? I agree it's
difficult to limit cheating but at least some basic rules should try to
guard against it.

I wish luck for all of you (organizers and players) :)

PS: Sorry for the rant, my intention was/is to be constructive and that
CTFs become better (not only Defcon's; learning from others' errors is
good/desirable so if you -CTF organizer in general- understood this email,
I'm sure you'll know how to improve your CTF organization).

PS2: I also got no response from Ddtek when trying to deal with some of
these issues. I suppose they're quite busy designing this year's VM to be
rooted again (recursive issue? :)) }:-)

Cheers,
-Roman

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ