Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 24 Jul 2012 16:26:25 -0400
From: Hank Leininger <hlein@...elogic.com>
To: Solar Designer <solar@...nwall.com>
Cc: defcon-2012-contest@...elogic.com, john-users@...ts.openwall.com
Subject: Re: Crack Me If You Can 2012

On Tue, Jul 24, 2012 at 11:20:46PM +0400, Solar Designer wrote:
> Hi Hank,
> 
> Thank you for the prompt response, and sorry that mine is a bit delayed.
> 
> Here's another thing I noticed: perhaps the specified contest start/end
> time is actually in PDT timezone, not PST?

Whoops, indeed.  Fixed, thanks.

> Please let us know when/if you update the rule page.

We did publish those updates, late Sunday I think (some unrelated
updates are still pending).

> > So basically, social engineering attacks?  We were mostly thinking of
> > trying to DDoS other teams' channels of communication, infiltrating any
> > _non-public_ forms of communication, hacking other teams' cracking
> > systems or communications channels, etc.
> > 
> > I would rather not try to enumerate all the things that wouldn't be OK,
> > because then someone will figure out a corner case that we did not
> > specify.  Instead, I'll say "don't be a dick" - if something smells like
> > deliberate bad sportsmanship, then it's a problem, and we will decide
> > what to do about it.
> 
> What's good or bad sportsmanship depends on what's (not) allowed in the
> rules.  If social engineering attacks are allowed, they may become part
> of the contest and a team's strategy, and they would be fair play.  That
> would be quite a different contest, though, so I understand that you may
> not want to allow them - I just felt that this needed to be clarified.

Indeed!  So, I did put "Don't be a dick" as the guiding principle of the
rules.  Social engineering other teams would be another contest.  Maybe
at DerbyCon ;)

> > What we most want to avoid, is surprises that we'd consider unfair to
> > the other players/teams.  For instance, the #3 and #4 teams merging in
> > the last hour in order to rocket at least one of them to #2 or #1.  That
> > would make the previous leaders feel cheated, and rightly so, I think.
> 
> It depends.
> 
> If allowed, this becomes part of the strategy and is fair play.
> 
> If not allowed, this encourages smaller teams to merge before contest
> start - so in that sense it discourages smaller teams from directly
> participating in the contest (contrary to what you're trying to achieve,
> it seems).  I am speaking in general, though.  This might not apply to
> the specific teams this year.

The largest thing that (I hope) encourages smaller teams to participate
is the semi-protected nature of the challenges: the limits on per-team
wins of challenges means a handful of large teams cannot claim all the
prizes for them.  (This is another reason we have to be sticklers about
allowing open / overlapping teams, etc--else each john-users member
could register as their own team and each claim a challenge prize, and
consume them all ;)

> You ought to clarify this - and make sure teams are well-informed of
> this new rule.

It should now be clarified.  We will see how this goes and the feedback
we get from this approach; we might modify it for next time, if this
proves to be too restrictive.

> I think the smaller vs. larger distinction is not necessary (and may
> sometimes be difficult to determine) - it's sufficient to specify that
> one team feeding cracks to another is allowed, but only the
> highest-scoring of such merged teams is eligible.

Well, the only way this works is if one team is a direct superset of the
others--we certainly do not want to allow overlapping teams that are not
subsets.  In that case, "larger" should be the same in terms of both
score, and number of participants--if otherwise, there would be a
problem.  (i.e. how could team foo be part of john-users, feeding you
their cracks and supposedly not taking any, and end up scoring higher
than john-users?  They must be either taking cracks from you, and/or
"holding out" on you.)

> In practice, though, some folks who would feed cracks to us are so
> law-abiding that they may choose not to do it given the new rules, even
> if you say it's "sort of OK".
> 
> In general, laws often hurt law-abiding citizens the most.

Well put ;)  OK, so just to make sure it is clear, folks working as an
independent team and also feeding cracks to another team are allowed,
provided a)they tell us it is happening (so there's no doubt about the
behavior if another team finds out and wonders/complains to us), and
b)they understand that only the team they're feeding are elgibile to win
prizes.  I believe the language at /intro.html is now clear on this.

-- 

Hank Leininger <hlein@...elogic.com>
D24D 2C2A F3AC B9AE CD03  B506 2D57 32E1 686B 6DB3

Download attachment "signature.asc" of type "application/pgp-signature" (448 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.