lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
From: jsyn at (jsyn)
Subject: cypherpunk wargames


         /* Cypherpunk Wargames: Mountainous Forest Operation */

  NOTE: This is an alternative to traditional learning methods, but is 
  nevertheless grounded in traditional responsibility.  Please do not
  read too much into this.

Cypherpunk Wargames are tactical training operations designed to engage hackers
in a wide range of strategic and technological thought.  Participants are taken
out of their familiar environments and into a very challenging fourth-
generation warfare exercise for several days.  Creativity and adaptability of
many varients is required for success in this setting.

Each operation is conducted as a unique scenario with it's own special
requirements.  This is a Mountainous Forest operation.  Participants will be
divided into several units, and then battle each other in a simultaneous land-
and network-based wargame carried out while encamped on a rugged mountainside. 
Many strategies for attack and defense will be available, but only one will end
up successful.

Several pilots of this exercise have already been completed in praire, 
woodland, and subterranean urban environments.  This will be the first full-
scale training operation.

For more information, see, or send mail to

Mountainous Forest
backup plan: Mountainous Desert

November 7th - 11th, 2002 
Extended Veterans' Day Weekend

Several possibilities are still being explored.

Primary target:
Julian, CA - mid-elevation wooded hills; a suitable location has been
found here, and arrangements have been made.

Secondary targets: 
Yucca Valley, CA - desert; we've got a workable location here, too; this is
the backup plan.

Big Bear / Arrowhead, CA region - due to high fire hazard, this national 
forest area is now closed until the risk is diminished.

The rules are in an active state of development.  Expect the rules
about capturing opponents to change most drastically.

Teams and Team Selection:
- there will be several opposing teams (likely to be 4, but could be 3-5)
- the number of teams will be determined by the number of particpants 
   available; there will be 7-15 participants per team, and we are expecting
   40-60 participants, plus another dozen coordinators
- each participant will vote names for selection of the team captains
- each participant will have the opportunity to optionally make some of his 
   equipment resources and skills known
- team captains will draft their team members in rounds
- each team will have a passphrase assigned to it
- the team passphrase will give access to a central server, as well as to a
   GPG PK pair located there
- the team passphrase will not be cryptographically strong; assume that it
   is crackable within a reasonable amount of time

Terrain and Connectivity:
- the operating area will have been divided into several zones -- one for 
   each team, and one or more DMZs
- each team will build one or more camps (tents, networks, etc.) within
   their zone
- each team will be connected to the central NOC/HQ via a wireless network 

Network Services:
- each team must run servers for which points will be granted (up to 10 servers
   will be point-granting)
- each server will be assigned one digitally-signed flag keyword file and
   several encrypted flag location files (one for each opposing team); these 
   files are to be placed in the primary file system root directory, readable 
   only by the system superuser
- each server must run at least 10 Well Known services (ports <1024), more for
   extra points (up to 30 point-granting services)
- additional points will be granted for running an older operating system on
   each server (with age defined as the date when >80% of the code was built)
- additional points will be granted per server for creating a guest shell
   account/password and advertising it on a publically accessible service;
   this account must have a traditional, fully functional shell (don't be
   stupid), though it may be enabled in a more restricted mode; the associated
   server must also be running a fully functional remote shell access service;
   for full credit, this must be enabled within 8 hours of each server going
   into operation

- any participant may "takedown" a member of an opposing team (this isn't
   through physical assault, but through a hand-to-hand range nonrepudiable
   tagging mechanism)
- the "hit" participant is out of commission for a small period of time, their
   team loses points, and the team's central NOC/HQ  account is locked for ten 
   minutes (the exact procedure here is still in development)
- during cease-fires (meals, additional instruction, etc.), all persons are
   to be accounted for and must cease to attack; machines, however, are allowed
   to do whatever they like

- the event coordinators will have strategically hidden 10 "flags" per team,
   with each team's flags being placed within their own zone
- assume that the flags may be anywhere -- buried, underwater, high in the
   trees, etc.
- for each team flag, a file will be created describing it's location and
   flag keyword; several copies of this file will be made, each encrypted with
   A different opposing team's public key and signed with NOC/HQ's key
- for each team flag, another file will be created with only the flag keyword
   listed; this will then be signed with NOC/HQ's key
- each team should be well-informed of it's flag keywords (up to 10 of
   them); an attacker (from an opposing team) who knows the flag keyword
   for a specific flag (through compromising the associated host, or through
   compromising an enemy team member) can speak that keyword and be granted
   10 minutes to maneuver/search within a 10-yard radius (whether or not that's
   where a flag actually is)
- if a flag is successfully captured at this point, the attacker must be 
   allowed to return to a DMZ; otherwise, the attacker must escape on their
- if a team has fewer than 10 hosts to associate their 10 flags with, their
   unallocated flag files can once apiece be used to reinitialize their
   own hosts (if/when compromised)

- each team's goal is to defend their own flags from capture (the locations 
   of which they do not know), and to capture the flags of their opponents
- the first team to successfully compromise all flags + flag keywords 
   automatically wins (regardless of score)
- barring that, the highest scoring team at the end of the event will be
   the winner

+50  = running a server (10 servers max. per team)
+10  = per year of OS age (10 year max.; round down)
+2   = 10 Well-Known-Service minimum, per service above this (after 3 hours
	uptime; 30 services max. for points)
+100 = having a working guest user shell account w/ passwd readily discoverable
	on public host service
+200 = per flag keyword compromise (server) 
+200 = per flag compromise (physical)
x2   = compromises between 2-6am
+50  = first reporting of a flag compromise (server or physical)
-100 = false reporting of a flag compromise (server or physical)
-5   = server downtime, per 10 minutes
-10  = per discovery (and notice + 5 minutes) of guest user account 
	(or information pertaining to it) unavailable (not coinciding with 
	host downtime; only applicable if +100 points for guest account has 
	been granted)
-10  = getting taken down (each time) -- also, team member is not allowed
        to participate for 10 minutes (and then escorted to DMZ), and team 
	account is locked for 10 minutes
-100 = attempting to attack during a cease-fire (per person, per attempt)

- courage and a passion for what we are doing
- durable clothing: you will be in a natural outdoor environment for 4 days
   and 4 nights; assume that you will be in close proximity to poison ivy/oak, 
   ticks, spiders, scorpions, snakes, various wild animals, etc.; for tactical 
   reasons, camoflage clothing of various types would be advantageous, as well 
   as clothing for conducting water operations (sneaking into an enemy zone, or 
   retrieving a flag placed at the bottom of a pond, for instance); assume
   that you will get hot, cold, dirty, wet, muddy, and then will need to be 
   able to clean up quickly for network attacks
- food: you want to eat, right?  bring coolers, drinks (a lot of water!), 
   high-energy snacks, and all the food that you will require for 3-4 meals
   per day, realizing that fires of any type may not be allowed (due to burn-
   bans); limited cooking equipment for one meal per day may be available
- campsite equipment: tents, tarps, crates/makeshift tables (for network 
   equipment/servers), wooden palets/planks (to build a raised floor in case 
   of rain), sleeping bag, chairs, firewood, first-aid kit, insect repellent,
   toilet paper, etc.; many other things may be useful, use your imagination
- tactical equipment: rope, wire, fishing line, netting, carabiners, duct tape,
   shovel, cutting tools, gps receivers, radios, frequency scanners, etc.; it 
   will be to your advantage to be able to construct perimeter alert systems,
   barriers, and equipment caches
- network equipment: multiple machines to be used as servers (preferably
   already setup; laptops are a big plus), monitors, generators (extra power
   will be a plus), network infrastructure hardware (hubs, switches, cabling,
   NICs, WiFi gear)
- code: multiple releases of various operating systems (older revisions for
   added points), multiple daemons (you'll need at least ten running for
   server credit), network security tools (there are many avenues that may be
   taken to gain strategic advantage in this competition, think broadly here),
   exploit collection (obviously, being able to exploit the vulnerabilities
   found will be key to winning; the more comprehensive your collection, the
   better your chances will be)

- no alcohol or illegal drugs whatsoever
- no fireworks, explosives, or incendiary devices of any kind
- no non-electrical illumination devices except chemical glowsticks
- cigarettes may be smoked only at NOC/HQ
- firearms of any type must be checked at NOC/HQ

- Thursday, November 7th
   20:00 - 22:00   arrive at on-location rendezvous area; meet+greet
   22:00 - 22:30   orientation
   22:30 - 23:00   captain selection
   23:00 - 23:30   team selection
   23:30 - 23:59   team orientation

- Friday, November 8th
   o-dark-hundred  roll-out
   00:00 - 06:00   campsite setup
       06:00       wargame scoring begins
   06:00 - 16:00   wargame operations
   16:00 - 18:00   cease-fire; group mealtime
   18:00 - 23:59   wargame operations

- Saturday, November 9th
   00:00 - 16:00   wargame operations
   16:00 - 18:00   cease-fire; group mealtime
   18:00 - 23:59   wargame operations

- Sunday, November 10th
   00:00 - 16:00   wargame operations
   16:00 - 18:00   cease-fire; group mealtime
   18:00 - 23:59   wargame operations

- Monday, November 11th
   00:00 - 07:00   wargame operations
   07:00 - 07:30   cease-fire; group meeting 
   07:30 - 15:00   wargame operations
       15:00       wargame scoring ends
   15:00 - 16:30   campsite teardown
   16:30 - 18:00   debriefing / results presentation / group mealtime

Notes: (1) Yes, you'll have more than one meal per day.  But your other two
probably won't be warm, and you likely won't be able to eat them in peace 
without forsaking your team duties.  In other words, you'll have to catch them 
when you can.  (2) No, there's no time allocated for sleeping.  You'll have to
catch that when you can, too.

Due to the arrangements we'll need to make in order for this event to run
smoothly, it is very important that we get a reasonably solid fix on the
number of participants as early as possible. 

Therefore, the earlier you pay, the less it costs.

10/18/2002 $75
11/01/2002 $100
11/07/2002 $125

As a participant involving yourself in this event of your own free accord,
you will assume all responsibility for your own safety.  In case of an
emergency, we'll be nice and try to help you, but we will in no way be
responsible for anything that happens to you.  Be prepared, be cautious, and
be smart.  You will be required to sign a waiver stating your understanding
of this matter.  If you are under eighteen, you will have to get a parent or
legal guardian to sign.


Powered by blists - more mailing lists