Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Jul 2012 18:18:08 -0400
From: Hank Leininger <hlein@...elogic.com>
To: Solar Designer <solar@...nwall.com>
Cc: defcon-2012-contest@...elogic.com, john-users@...ts.openwall.com
Subject: Re: Crack Me If You Can 2012

On Sun, Jul 22, 2012 at 05:25:41PM +0400, Solar Designer wrote:
> Hi,
> 
> So the new contest is announced, and indeed team john-users wants to
> participate.  We have a few questions on the new rules:
> 
> http://contest-2012.korelogic.com/intro.html

Hi, thanks for the email, lots of good questions.  I'll answer initially
here, and we'll make things official with changes to the rule page in a
bit.  [ IOW this email is not the final or official word. ]

In general, the new mechanics & rule changes are intended to keep the
contest interesting for individuals and smaller teams, and to maintain
good fair-play across the board, to address some complaints we've
gotten.  ...Whether the changes succeed in those goals is another
question.

> "Each solved challenge is worth a big chunk of points, and there are
> also sub-prizes for solving challenges. However, teams are limited as to
> how many challenges they can win (see below), so big teams cannot sweep
> all the challenges."
> 
> Besides points for solving a challenge per se, will solving a challenge
> also provide other ways to increase the team's total points - e.g., by
> providing extra hashes to crack, like it was in last year's contest?
> In other words, if a team knows they can't get any more points for
> winning additional challenges, does it still make sense for the team to
> spend time on the remaining challenges?

Nope, once a team has cracked its limit of challenges, there's no more
points to be had from them.  (You could try to win first-to-crack on
other challenges for side prizes, up to the team limit, but no
additional points/credit would be given towards the main contest.)

Last year the challenge files contained simple hashes, and were scored
by turning in the plaintexts for those hashes--this year we want the
plaintext that cracked open the challenge file, which will be worth a
big chunk of points.  There's nothing inside the challenge files but
instructions on making that submission.

Some more about challenges, and points for them.  I think we'll be
posting the list of challenge file types several days before the contest
starts.  The challenges obviously aren't all going to be the same
difficulty / level of effort / amount of cycles to crack.  But, they
will each be worth the same amount of points.  So we expect most teams
to go for the easiest ones first.  Teams in it for overall top points
will likely stop there, and focus purely on password hashes.  But teams
that want to win side-prizes for being first to crack other challenges,
or want to show off that they have the world's best PGP private key file
cracker (or whatever) can focus on trying to win those, which the bigger
teams have less incentive to bother with.

> "Simple, right?" - not quite, and potentially subject to interpretation
> differences.  Examples are desirable.

Yeah, I was being a bit sarcastic ;)

> "* You MUST NOT attempt to interfere with the efforts of another team.
> * You MUST NOT attempt to steal passwords from or techniques/methods
> used by another team."
> 
> Does misinforming another team (or a member thereof) of our team's
> progress, what techniques turned out to be (in)effective, etc. count as
> "interferring" with their efforts or not?  In other words, is this
> permitted?

So basically, social engineering attacks?  We were mostly thinking of
trying to DDoS other teams' channels of communication, infiltrating any
_non-public_ forms of communication, hacking other teams' cracking
systems or communications channels, etc.

I would rather not try to enumerate all the things that wouldn't be OK,
because then someone will figure out a corner case that we did not
specify.  Instead, I'll say "don't be a dick" - if something smells like
deliberate bad sportsmanship, then it's a problem, and we will decide
what to do about it.

> Similarly, does making use of such deliberately provided or publicly
> available information from another team count as "stealing" or not?
> In other words, is this permitted?
> 
> To give an example: if we post 1000 cracked passwords to the john-users
> list, may another team use them and not be disqualified for "stealing"
> from us?  Or are they from that point forced not to crack those same
> 1000 passwords (as if we "patented" them or something)? ;-)  The latter
> would be ridiculous, of course.

Yeah, that would be kind of silly ;)

We do want teams to share things; we think the writeups that teams do
(and any tools/updates that get published as a result) are the best part
of the contest... we don't expect that to happen until afterwards, but I
suppose there's nothing wrong with doing so.

On the other hand, if a team posted them among themselves, but someone
on another team was also on their internal forum / mailing list /
servers?  If we learned that that happened, we wouldn't like it.  The
action we'd take would depend on the circumstances.

Publishing deliberate misinformation, while it might be funny, would be
likely to run afoul of the "Don't be a dick" spirit of the rules.
(Maybe we should literally include that in the rules...)

> "You MUST NOT switch teams during the contest--we will assume you stole
> all the cracks from the team you left, or the team you join."
> 
> Now this is a new restriction, and one that definitely needs to be
> clarified.  It is extremely ambiguous as written.  What was the intent
> here?  Can you name specific examples from past contests (not
> necessarily limited to past CMIYK) that would violate this rule?
> And examples that would not violate it?

Well, we found out about some cases of team-switching or merging (and
had some complaints about it), and weren't happy, but hadn't had any
rule against it.

What we most want to avoid, is surprises that we'd consider unfair to
the other players/teams.  For instance, the #3 and #4 teams merging in
the last hour in order to rocket at least one of them to #2 or #1.  That
would make the previous leaders feel cheated, and rightly so, I think.

I think if people want to, say, do their own solo/small team, to keep
track of how say their special tools or techniques do, while also being
a member of a larger team _all along_ that they feed cracks into but
don't take cracks from, that would be OK, provided they let us know
*early on*, and the larger team they're in also knows all along.  (That
has been the case sometimes, I know.)

> What about team mergers during contest - e.g., if teams currently ranked
> 4 and 5 decide to merge and hopefully take 3rd place, moving the team
> currently ranked 3rd down to the 4th place?  Is this permitted?  (Of
> course, assuming that the teams choose which one will be the merged team
> and submit both teams' cracks under that team before the contest ends.)

So, according to my above, this would be the situation that would bother
us most, team switches and/or mergers during the contest.  We feel that
situation is the least fair to the other players.

What if somebody tries to compete solo, but quickly realizes they didn't
have enough time to devote to the contest and decides they want to join
up with an existing team instead?  I think we ought to allow that,
rather than just forcing them to give up and walk away, which is no fun.
Probably with a time limit on such a merger.  I don't know exactly what
that limit should be, but on the order of 12-18 hours into the 48 hour
contest.  I think we'd ask that someone considering that should email our
human contact address to ask us to approve it.

> "we will assume you stole all the cracks from the team you left, or the
> team you join" - and what do you do in that case?

Nuke the site from orbit, it's the only way to be sure.

I'm not actually sure what we'd do.  It would depend on the situation,
or if both teams were informed and OK with it vs not, and whether it has
an impact to the other teams that are competing.

I think I will take a modified version of your suggestion.

a) Small teams that are also feeding their cracks into a larger team are
   allowed, as long as their situation is clear both to us and to the
   larger team.
b) Only the highest-scoring of such merged teams is eligible.

Meanwhile:
- small teams merging/joining others _early_ in the contest is generally
  OK, but requires approval (email us to say you want to do it).
- "last-minute" sharing/mergers is still not allowed.
- members switching from one team to another is still not allowed.

So for your earlier example, if bartavelle and 16Crack both compete in
the 2012 contest, they could also feed their cracks to john-users, as
long as team john-users knows they are also competing on their own, and
as long as they notify us early on in the contest.  If john-users,
bartavelle, and 16Crack then sweep the #1, #2, and #3 spots, only the
team that got #1 would get a prize; the others would revert to the #4
and #5 spots.  (In fact we can probably capture this in the scoreboard,
we will just flag known sub-teams as not being eligible.)

Again, that isn't an official statement yet; I'm going to float it by
the other members of our team, and then we'll update the rules page
after making our decision.  (I'll happily take feedback on it in the
meantime.)

-- 

Hank Leininger <hlein@...elogic.com>
D24D 2C2A F3AC B9AE CD03  B506 2D57 32E1 686B 6DB3

Download attachment "signature.asc" of type "application/pgp-signature" (448 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.