| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jsyn at nthought.com (jsyn)
Subject: cypherpunk wargames
<++>
/* Cypherpunk Wargames: Mountainous Forest Operation */
NOTE: This is an alternative to traditional learning methods, but is
nevertheless grounded in traditional responsibility. Please do not
read too much into this.
Cypherpunk Wargames are tactical training operations designed to engage hackers
in a wide range of strategic and technological thought. Participants are taken
out of their familiar environments and into a very challenging fourth-
generation warfare exercise for several days. Creativity and adaptability of
many varients is required for success in this setting.
Each operation is conducted as a unique scenario with it's own special
requirements. This is a Mountainous Forest operation. Participants will be
divided into several units, and then battle each other in a simultaneous land-
and network-based wargame carried out while encamped on a rugged mountainside.
Many strategies for attack and defense will be available, but only one will end
up successful.
Several pilots of this exercise have already been completed in praire,
woodland, and subterranean urban environments. This will be the first full-
scale training operation.
For more information, see http://nthought.com/wargames/, or send mail to
info@...ought.com.
SCENARIO
========
Mountainous Forest
backup plan: Mountainous Desert
DATE
====
November 7th - 11th, 2002
Extended Veterans' Day Weekend
LOCATION
========
Several possibilities are still being explored.
Primary target:
Julian, CA - mid-elevation wooded hills; a suitable location has been
found here, and arrangements have been made.
Secondary targets:
Yucca Valley, CA - desert; we've got a workable location here, too; this is
the backup plan.
Big Bear / Arrowhead, CA region - due to high fire hazard, this national
forest area is now closed until the risk is diminished.
RULES
=====
The rules are in an active state of development. Expect the rules
about capturing opponents to change most drastically.
Teams and Team Selection:
- there will be several opposing teams (likely to be 4, but could be 3-5)
- the number of teams will be determined by the number of particpants
available; there will be 7-15 participants per team, and we are expecting
40-60 participants, plus another dozen coordinators
- each participant will vote names for selection of the team captains
- each participant will have the opportunity to optionally make some of his
equipment resources and skills known
- team captains will draft their team members in rounds
- each team will have a passphrase assigned to it
- the team passphrase will give access to a central server, as well as to a
GPG PK pair located there
- the team passphrase will not be cryptographically strong; assume that it
is crackable within a reasonable amount of time
Terrain and Connectivity:
- the operating area will have been divided into several zones -- one for
each team, and one or more DMZs
- each team will build one or more camps (tents, networks, etc.) within
their zone
- each team will be connected to the central NOC/HQ via a wireless network
bridge
Network Services:
- each team must run servers for which points will be granted (up to 10 servers
will be point-granting)
- each server will be assigned one digitally-signed flag keyword file and
several encrypted flag location files (one for each opposing team); these
files are to be placed in the primary file system root directory, readable
only by the system superuser
- each server must run at least 10 Well Known services (ports <1024), more for
extra points (up to 30 point-granting services)
- additional points will be granted for running an older operating system on
each server (with age defined as the date when >80% of the code was built)
- additional points will be granted per server for creating a guest shell
account/password and advertising it on a publically accessible service;
this account must have a traditional, fully functional shell (don't be
stupid), though it may be enabled in a more restricted mode; the associated
server must also be running a fully functional remote shell access service;
for full credit, this must be enabled within 8 hours of each server going
into operation
Operations:
- any participant may "takedown" a member of an opposing team (this isn't
through physical assault, but through a hand-to-hand range nonrepudiable
tagging mechanism)
- the "hit" participant is out of commission for a small period of time, their
team loses points, and the team's central NOC/HQ account is locked for ten
minutes (the exact procedure here is still in development)
- during cease-fires (meals, additional instruction, etc.), all persons are
to be accounted for and must cease to attack; machines, however, are allowed
to do whatever they like
Flags:
- the event coordinators will have strategically hidden 10 "flags" per team,
with each team's flags being placed within their own zone
- assume that the flags may be anywhere -- buried, underwater, high in the
trees, etc.
- for each team flag, a file will be created describing it's location and
flag keyword; several copies of this file will be made, each encrypted with
A different opposing team's public key and signed with NOC/HQ's key
- for each team flag, another file will be created with only the flag keyword
listed; this will then be signed with NOC/HQ's key
- each team should be well-informed of it's flag keywords (up to 10 of
them); an attacker (from an opposing team) who knows the flag keyword
for a specific flag (through compromising the associated host, or through
compromising an enemy team member) can speak that keyword and be granted
10 minutes to maneuver/search within a 10-yard radius (whether or not that's
where a flag actually is)
- if a flag is successfully captured at this point, the attacker must be
allowed to return to a DMZ; otherwise, the attacker must escape on their
own
- if a team has fewer than 10 hosts to associate their 10 flags with, their
unallocated flag files can once apiece be used to reinitialize their
own hosts (if/when compromised)
Goal:
- each team's goal is to defend their own flags from capture (the locations
of which they do not know), and to capture the flags of their opponents
- the first team to successfully compromise all flags + flag keywords
automatically wins (regardless of score)
- barring that, the highest scoring team at the end of the event will be
the winner
POINTS
======
+50 = running a server (10 servers max. per team)
+10 = per year of OS age (10 year max.; round down)
+2 = 10 Well-Known-Service minimum, per service above this (after 3 hours
uptime; 30 services max. for points)
+100 = having a working guest user shell account w/ passwd readily discoverable
on public host service
+200 = per flag keyword compromise (server)
+200 = per flag compromise (physical)
x2 = compromises between 2-6am
+50 = first reporting of a flag compromise (server or physical)
-100 = false reporting of a flag compromise (server or physical)
-5 = server downtime, per 10 minutes
-10 = per discovery (and notice + 5 minutes) of guest user account
(or information pertaining to it) unavailable (not coinciding with
host downtime; only applicable if +100 points for guest account has
been granted)
-10 = getting taken down (each time) -- also, team member is not allowed
to participate for 10 minutes (and then escorted to DMZ), and team
account is locked for 10 minutes
-100 = attempting to attack during a cease-fire (per person, per attempt)
WHAT TO BRING
=============
- courage and a passion for what we are doing
- durable clothing: you will be in a natural outdoor environment for 4 days
and 4 nights; assume that you will be in close proximity to poison ivy/oak,
ticks, spiders, scorpions, snakes, various wild animals, etc.; for tactical
reasons, camoflage clothing of various types would be advantageous, as well
as clothing for conducting water operations (sneaking into an enemy zone, or
retrieving a flag placed at the bottom of a pond, for instance); assume
that you will get hot, cold, dirty, wet, muddy, and then will need to be
able to clean up quickly for network attacks
- food: you want to eat, right? bring coolers, drinks (a lot of water!),
high-energy snacks, and all the food that you will require for 3-4 meals
per day, realizing that fires of any type may not be allowed (due to burn-
bans); limited cooking equipment for one meal per day may be available
- campsite equipment: tents, tarps, crates/makeshift tables (for network
equipment/servers), wooden palets/planks (to build a raised floor in case
of rain), sleeping bag, chairs, firewood, first-aid kit, insect repellent,
toilet paper, etc.; many other things may be useful, use your imagination
- tactical equipment: rope, wire, fishing line, netting, carabiners, duct tape,
shovel, cutting tools, gps receivers, radios, frequency scanners, etc.; it
will be to your advantage to be able to construct perimeter alert systems,
barriers, and equipment caches
- network equipment: multiple machines to be used as servers (preferably
already setup; laptops are a big plus), monitors, generators (extra power
will be a plus), network infrastructure hardware (hubs, switches, cabling,
NICs, WiFi gear)
- code: multiple releases of various operating systems (older revisions for
added points), multiple daemons (you'll need at least ten running for
server credit), network security tools (there are many avenues that may be
taken to gain strategic advantage in this competition, think broadly here),
exploit collection (obviously, being able to exploit the vulnerabilities
found will be key to winning; the more comprehensive your collection, the
better your chances will be)
RESTRICTED ITEMS
================
- no alcohol or illegal drugs whatsoever
- no fireworks, explosives, or incendiary devices of any kind
- no non-electrical illumination devices except chemical glowsticks
- cigarettes may be smoked only at NOC/HQ
- firearms of any type must be checked at NOC/HQ
SCHEDULE
========
- Thursday, November 7th
20:00 - 22:00 arrive at on-location rendezvous area; meet+greet
22:00 - 22:30 orientation
22:30 - 23:00 captain selection
23:00 - 23:30 team selection
23:30 - 23:59 team orientation
- Friday, November 8th
o-dark-hundred roll-out
00:00 - 06:00 campsite setup
06:00 wargame scoring begins
06:00 - 16:00 wargame operations
16:00 - 18:00 cease-fire; group mealtime
18:00 - 23:59 wargame operations
- Saturday, November 9th
00:00 - 16:00 wargame operations
16:00 - 18:00 cease-fire; group mealtime
18:00 - 23:59 wargame operations
- Sunday, November 10th
00:00 - 16:00 wargame operations
16:00 - 18:00 cease-fire; group mealtime
18:00 - 23:59 wargame operations
- Monday, November 11th
00:00 - 07:00 wargame operations
07:00 - 07:30 cease-fire; group meeting
07:30 - 15:00 wargame operations
15:00 wargame scoring ends
15:00 - 16:30 campsite teardown
16:30 - 18:00 debriefing / results presentation / group mealtime
Notes: (1) Yes, you'll have more than one meal per day. But your other two
probably won't be warm, and you likely won't be able to eat them in peace
without forsaking your team duties. In other words, you'll have to catch them
when you can. (2) No, there's no time allocated for sleeping. You'll have to
catch that when you can, too.
PRICING
=======
Due to the arrangements we'll need to make in order for this event to run
smoothly, it is very important that we get a reasonably solid fix on the
number of participants as early as possible.
Therefore, the earlier you pay, the less it costs.
10/18/2002 $75
11/01/2002 $100
11/07/2002 $125
LIABILITY
=========
As a participant involving yourself in this event of your own free accord,
you will assume all responsibility for your own safety. In case of an
emergency, we'll be nice and try to help you, but we will in no way be
responsible for anything that happens to you. Be prepared, be cautious, and
be smart. You will be required to sign a waiver stating your understanding
of this matter. If you are under eighteen, you will have to get a parent or
legal guardian to sign.
<-->
Powered by blists - more mailing lists