Date: Sun, 22 Jul 2012 18:18:08 -0400 From: Hank Leininger <hlein@...elogic.com> To: Solar Designer <solar@...nwall.com> Cc: defcon-2012-contest@...elogic.com, john-users@...ts.openwall.com Subject: Re: Crack Me If You Can 2012 On Sun, Jul 22, 2012 at 05:25:41PM +0400, Solar Designer wrote: > Hi, > > So the new contest is announced, and indeed team john-users wants to > participate. We have a few questions on the new rules: > > http://contest-2012.korelogic.com/intro.html Hi, thanks for the email, lots of good questions. I'll answer initially here, and we'll make things official with changes to the rule page in a bit. [ IOW this email is not the final or official word. ] In general, the new mechanics & rule changes are intended to keep the contest interesting for individuals and smaller teams, and to maintain good fair-play across the board, to address some complaints we've gotten. ...Whether the changes succeed in those goals is another question. > "Each solved challenge is worth a big chunk of points, and there are > also sub-prizes for solving challenges. However, teams are limited as to > how many challenges they can win (see below), so big teams cannot sweep > all the challenges." > > Besides points for solving a challenge per se, will solving a challenge > also provide other ways to increase the team's total points - e.g., by > providing extra hashes to crack, like it was in last year's contest? > In other words, if a team knows they can't get any more points for > winning additional challenges, does it still make sense for the team to > spend time on the remaining challenges? Nope, once a team has cracked its limit of challenges, there's no more points to be had from them. (You could try to win first-to-crack on other challenges for side prizes, up to the team limit, but no additional points/credit would be given towards the main contest.) Last year the challenge files contained simple hashes, and were scored by turning in the plaintexts for those hashes--this year we want the plaintext that cracked open the challenge file, which will be worth a big chunk of points. There's nothing inside the challenge files but instructions on making that submission. Some more about challenges, and points for them. I think we'll be posting the list of challenge file types several days before the contest starts. The challenges obviously aren't all going to be the same difficulty / level of effort / amount of cycles to crack. But, they will each be worth the same amount of points. So we expect most teams to go for the easiest ones first. Teams in it for overall top points will likely stop there, and focus purely on password hashes. But teams that want to win side-prizes for being first to crack other challenges, or want to show off that they have the world's best PGP private key file cracker (or whatever) can focus on trying to win those, which the bigger teams have less incentive to bother with. > "Simple, right?" - not quite, and potentially subject to interpretation > differences. Examples are desirable. Yeah, I was being a bit sarcastic ;) > "* You MUST NOT attempt to interfere with the efforts of another team. > * You MUST NOT attempt to steal passwords from or techniques/methods > used by another team." > > Does misinforming another team (or a member thereof) of our team's > progress, what techniques turned out to be (in)effective, etc. count as > "interferring" with their efforts or not? In other words, is this > permitted? So basically, social engineering attacks? We were mostly thinking of trying to DDoS other teams' channels of communication, infiltrating any _non-public_ forms of communication, hacking other teams' cracking systems or communications channels, etc. I would rather not try to enumerate all the things that wouldn't be OK, because then someone will figure out a corner case that we did not specify. Instead, I'll say "don't be a dick" - if something smells like deliberate bad sportsmanship, then it's a problem, and we will decide what to do about it. > Similarly, does making use of such deliberately provided or publicly > available information from another team count as "stealing" or not? > In other words, is this permitted? > > To give an example: if we post 1000 cracked passwords to the john-users > list, may another team use them and not be disqualified for "stealing" > from us? Or are they from that point forced not to crack those same > 1000 passwords (as if we "patented" them or something)? ;-) The latter > would be ridiculous, of course. Yeah, that would be kind of silly ;) We do want teams to share things; we think the writeups that teams do (and any tools/updates that get published as a result) are the best part of the contest... we don't expect that to happen until afterwards, but I suppose there's nothing wrong with doing so. On the other hand, if a team posted them among themselves, but someone on another team was also on their internal forum / mailing list / servers? If we learned that that happened, we wouldn't like it. The action we'd take would depend on the circumstances. Publishing deliberate misinformation, while it might be funny, would be likely to run afoul of the "Don't be a dick" spirit of the rules. (Maybe we should literally include that in the rules...) > "You MUST NOT switch teams during the contest--we will assume you stole > all the cracks from the team you left, or the team you join." > > Now this is a new restriction, and one that definitely needs to be > clarified. It is extremely ambiguous as written. What was the intent > here? Can you name specific examples from past contests (not > necessarily limited to past CMIYK) that would violate this rule? > And examples that would not violate it? Well, we found out about some cases of team-switching or merging (and had some complaints about it), and weren't happy, but hadn't had any rule against it. What we most want to avoid, is surprises that we'd consider unfair to the other players/teams. For instance, the #3 and #4 teams merging in the last hour in order to rocket at least one of them to #2 or #1. That would make the previous leaders feel cheated, and rightly so, I think. I think if people want to, say, do their own solo/small team, to keep track of how say their special tools or techniques do, while also being a member of a larger team _all along_ that they feed cracks into but don't take cracks from, that would be OK, provided they let us know *early on*, and the larger team they're in also knows all along. (That has been the case sometimes, I know.) > What about team mergers during contest - e.g., if teams currently ranked > 4 and 5 decide to merge and hopefully take 3rd place, moving the team > currently ranked 3rd down to the 4th place? Is this permitted? (Of > course, assuming that the teams choose which one will be the merged team > and submit both teams' cracks under that team before the contest ends.) So, according to my above, this would be the situation that would bother us most, team switches and/or mergers during the contest. We feel that situation is the least fair to the other players. What if somebody tries to compete solo, but quickly realizes they didn't have enough time to devote to the contest and decides they want to join up with an existing team instead? I think we ought to allow that, rather than just forcing them to give up and walk away, which is no fun. Probably with a time limit on such a merger. I don't know exactly what that limit should be, but on the order of 12-18 hours into the 48 hour contest. I think we'd ask that someone considering that should email our human contact address to ask us to approve it. > "we will assume you stole all the cracks from the team you left, or the > team you join" - and what do you do in that case? Nuke the site from orbit, it's the only way to be sure. I'm not actually sure what we'd do. It would depend on the situation, or if both teams were informed and OK with it vs not, and whether it has an impact to the other teams that are competing. I think I will take a modified version of your suggestion. a) Small teams that are also feeding their cracks into a larger team are allowed, as long as their situation is clear both to us and to the larger team. b) Only the highest-scoring of such merged teams is eligible. Meanwhile: - small teams merging/joining others _early_ in the contest is generally OK, but requires approval (email us to say you want to do it). - "last-minute" sharing/mergers is still not allowed. - members switching from one team to another is still not allowed. So for your earlier example, if bartavelle and 16Crack both compete in the 2012 contest, they could also feed their cracks to john-users, as long as team john-users knows they are also competing on their own, and as long as they notify us early on in the contest. If john-users, bartavelle, and 16Crack then sweep the #1, #2, and #3 spots, only the team that got #1 would get a prize; the others would revert to the #4 and #5 spots. (In fact we can probably capture this in the scoreboard, we will just flag known sub-teams as not being eligible.) Again, that isn't an official statement yet; I'm going to float it by the other members of our team, and then we'll update the rules page after making our decision. (I'll happily take feedback on it in the meantime.) -- Hank Leininger <hlein@...elogic.com> D24D 2C2A F3AC B9AE CD03 B506 2D57 32E1 686B 6DB3 Download attachment "signature.asc" of type "application/pgp-signature" (448 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.