Date: Sun, 22 Jul 2012 17:25:41 +0400 From: Solar Designer <solar@...nwall.com> To: defcon-2012-contest@...elogic.com Cc: john-users@...ts.openwall.com Subject: Crack Me If You Can 2012 Hi, So the new contest is announced, and indeed team john-users wants to participate. We have a few questions on the new rules: http://contest-2012.korelogic.com/intro.html "Each solved challenge is worth a big chunk of points, and there are also sub-prizes for solving challenges. However, teams are limited as to how many challenges they can win (see below), so big teams cannot sweep all the challenges." Besides points for solving a challenge per se, will solving a challenge also provide other ways to increase the team's total points - e.g., by providing extra hashes to crack, like it was in last year's contest? In other words, if a team knows they can't get any more points for winning additional challenges, does it still make sense for the team to spend time on the remaining challenges? "Simple, right?" - not quite, and potentially subject to interpretation differences. Examples are desirable. "* You MUST NOT attempt to interfere with the efforts of another team. * You MUST NOT attempt to steal passwords from or techniques/methods used by another team." Does misinforming another team (or a member thereof) of our team's progress, what techniques turned out to be (in)effective, etc. count as "interferring" with their efforts or not? In other words, is this permitted? Similarly, does making use of such deliberately provided or publicly available information from another team count as "stealing" or not? In other words, is this permitted? To give an example: if we post 1000 cracked passwords to the john-users list, may another team use them and not be disqualified for "stealing" from us? Or are they from that point forced not to crack those same 1000 passwords (as if we "patented" them or something)? ;-) The latter would be ridiculous, of course. These two are not new rules (IIRC, they existed last year as well), yet I felt a clarification would not hurt. "You MUST NOT switch teams during the contest--we will assume you stole all the cracks from the team you left, or the team you join." Now this is a new restriction, and one that definitely needs to be clarified. It is extremely ambiguous as written. What was the intent here? Can you name specific examples from past contests (not necessarily limited to past CMIYK) that would violate this rule? And examples that would not violate it? It is somewhat common for a person to submit their own results and also feed their cracks to a team's pool. Usually this did not affect the top 3 places (e.g., team john-users in CMIYK 2010 and 2011 accepted cracks from bartavelle and 16Crack, who also submitted their results separately - but they were not in top 3 personally). However, a recent exception to this is the Hash Runner contest at PHDays 2012, where Xanadrel took third place while also feeding his results to team Teardrop (Hashcat). Is this now against the rules? In all cases or only when the person ends up in top 3 (thus, their scores would not count then and the 4th entry, etc. would be the 3rd place winner then)? What about the case when this is done between two teams (a smaller team submits their results separately, but also contributes to a larger team's pool)? What about team mergers during contest - e.g., if teams currently ranked 4 and 5 decide to merge and hopefully take 3rd place, moving the team currently ranked 3rd down to the 4th place? Is this permitted? (Of course, assuming that the teams choose which one will be the merged team and submit both teams' cracks under that team before the contest ends.) "we will assume you stole all the cracks from the team you left, or the team you join" - and what do you do in that case? Also, does it matter how you resolve the "or" (which team the person or sub-team stole cracks from)? Does some team get disqualified as a result (which one? or both?) or do you adjust their score somehow (how? I see no fair way considering that cracks by different people/teams usually mostly overlap). My suggestion is that mergers be allowed, but only the highest-scoring of the merged teams be eligible for a numbered place and the corresponding prize. Ditto for people posting their personal results and also being on a team: they would not be eligible for a prize personally then. Of course, this assumes that teams/people disclose such information (or it is inferred by other means). As far as I'm aware, so far no one attempted to hide it, and the teams tend to play fair. So I think this is OK. Would this work, or does it not address some other need for this new restriction? Anyhow, the rule needs to be clarified and examples need to be provided. Thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.