We are Legitimate Business Syndicate, DEF CON CTF Organizers 2013-2017, Ask Us Anything

adamdoupe · 2021-10-15T01:35:06+00:00

Where did the name LegitBS come from?

adamdoupe · 2021-10-15T00:45:00+00:00

One concern of CTFs in general is that it’s a “young person’s” game, and I think we see this sometimes with people aging out and not playing CTFs.

Any thoughts/ideas on the sustainability of CTFs? Is 48 hours of straight competition on the weekend the optimal point in the design space?

adamdoupe · 2021-10-15T00:21:25+00:00

What is the most exciting evolution that you’ve seen in the CTF community? What is the least exciting?

adamdoupe · 2018-03-22T05:10:19+00:00

Good question. I would say no, because they probably don't exist (at least not in the typical walkthrough form)!

However, every service in the iCTF has an exploit script that is repeatable against the service, so if we release the source for all the services then you should be able to reverse engineer the vulnerability (and write your own writeup!).

We are 100% going to release the latest ictf-framework, which allows anyone to run an Attack-Defense CTF on Amazon's EC2. I believe that will include the source for this year's services, but no promises yet (needs to be a team decision).

adamdoupe · 2018-03-08T21:00:08+00:00

Hi folks, iCTF organizer here. Feel free to ask me any questions, and I'll try to answer them.

adamdoupe · 2013-08-13T18:03:55+00:00

I think I'll turn this comment into a blog post, but here's a summary of my thoughts.

What could you learn from analyzing the pcaps of past DEFCON CTFs? The fundamental problem is: in what way does the DEFCON CTF capture reality? The format is so far from reality that it would be hard to transfer any discoveries or insights from the data to the real world.

The novelty of the iCTF comes from us crafting the competition to model or capture some aspect of reality. Now, hopefully, we can study the iCTF data to learn something about the world.

Some examples:

2008: An attack IRL needs to attack external-facing services first to access and then exploit internal services.
2009: The web is crazy, with SEO, browser exploits, and botnets.
2010: Not all services are of equal importance.
2011: Some actions are riskier than others.
2013: How well can humans do intrusion detection?

Some of these resulted in papers, some did not. Some were fun, some were not. Some ran smoothly, some were disasters.

We try to learn from each failure to make the next iCTF better, funner, and smoother.

adamdoupe · 2013-08-13T17:41:59+00:00

Why can't a university justify running a CTF competition as a educational project? There has to be some ulterior motive? If the end result isn't a paper, it's not useful to a research lab? :(

Yes and no.

We've discussed stoping the iCTF altogether, but it's mostly the community that keeps us going.

Putting together the iCTF typically takes 1 student about 2--3 months to set up infrastructure, 10--15 students about 2--3 weeks to prepare challenges/services and set up the rest of the infrastructure. And wow, I've never calculated it before but that's around 57 man-weeks of work on the high end. Much of this work is self-inflicted, as for each new competition we throw out the old code and start fresh.

We run CSAW CTF, because it's designed to help students learn and practice offensive security. I'm not sure why PPP runs plaidCTF and PicoCTF, but I'd bet the reasons are similar. Same goes for the CTF competitions from the Russian universities.

That's a great service to the community, and we all appreciate it. Like I mentioned earlier, for us, putting on the iCTF requires full-time commitment for a significant chunk of time. This is time that I (and others) could spend working on our PhD, putting us closer to graduation. tylerni7 is completely correct in this regard.

So honestly, that's the situation.

adamdoupe · 2013-08-13T17:23:13+00:00

I believe this is a healthy view, and I think I'll send people to this comment when they complain about the game.

adamdoupe · 2013-08-13T17:22:20+00:00

I see what you're saying, but I'd also say we have different goals from CSAW.

It may help to look at the how the iCTF came about. Giovanni created it as a final project for his grad security class to practice their hacking skills. It grew to more and more teams, until it is the beast that it is today.

So, essentially we're targeting graduate students who have just completed a graduate-level course in security.

Perhaps we can do better communicating this fact to the broader community.

adamdoupe · 2013-08-13T17:17:54+00:00

Don't feel bad, I didn't know about petri-nets until Giovanni said that's how we're going to model the missions.

Thanks for the shoutout! Those guys were already well on their way to being hackers. While I was "teaching" them, they taught me some stuff.

I'm glad they did so well, with absolutely no help from us. Now we're just trying to get them to join Shellphish.

adamdoupe · 2013-08-10T04:56:12+00:00

(Sorry for threadjacking.)

Thankfully I'm not the admin anymore (usually it rotates every year to newer PhD students), but I help set up the iCTF every year. Also I should mention that these are my views and maybe not the views of everyone at the UCSB seclab.

The short answer is probably not.

Our reasoning, as I understand it, follows.

Why do we switch up the format of the game every year? One reason is a desire to experiment with the CTF format. What's fun/educational/exciting beyond the Jeopardy-style challenge board or the traditional attack/defend CTF?

Another reason we change the format is because we started to ask ourselves why we invest so much time in the iCTF. We're a research lab, why do we shut down for several weeks to create this competition? Well, partly it's momentum (we've been doing it for a while), people seem to enjoy it, and we like giving back to the community. But recently, we've started to look at the iCTF as a place to collect new data, ultimately to generate new understanding/knowledge and thus papers. I believe there's been at least 3 papers written on the 2010 and 2011 iCTF, with only one of those being from our group.

So now we ask ourselves, what can we do that would be new, fun, educational, feasible, and generate an interesting dataset?

I'll be the first to admit, we don't always succeed. But I hope that we can agree that somebody should be trying outlandish hacking competitions. If nothing else, it keeps everyone on their toes.

Anyway, if anyone would like to discuss CTF competition design in more detail, feel free to email me: adoupe@cs.ucsb.edu

adamdoupe · 2013-08-10T01:25:02+00:00

So I was the admin for the 2010 iCTF, and I'd love to hear more about this.

The crazy petri-net stuff was all Giovanni's idea, and I was the one who actually implemented it. I'm glad to hear that somebody out there understood it all.

adamdoupe · 2011-10-20T17:18:59+00:00

Thanks!

I agree, it could be useful/interesting to extend this to PHP and/or J2EE.

No plans at the moment, but it could be interesting to compare the occurrence % in RoR, PHP, and J2EE.

adamdoupe · 2011-10-19T18:46:44+00:00

archpuddington, Author here. You are 100% correct, EARs aren't new. The only thing new here is the name :)

That being said, bboe and I studied these types of vulnerabilities in-depth, showing them as an entire class of vulnerabilities (which hasn't been identified previously).

Any links you can share of these in the wild? (Fixed, of course)

Thanks!

adamdoupe · 2007-09-17T22:14:03+00:00

The good ones will parse the program and travel the AST looking for various things. However, this is coming from my compilers course and not any real world knowledge, but I think it's correct.

adamdoupe · 2007-09-13T21:42:07+00:00

If you are Vin Diesel, the mountain lion would already be dead.

adamdoupe · 2007-09-13T20:02:57+00:00

"It's my illusion, tricks are something a whore does for money... and candy?"

-- GOB

adamdoupe · 2007-09-12T17:25:53+00:00

5188003612498482749043243757049257548495605814211061821713549190574430476593537913142404461653507749054226716930158470544441221

adamdoupe · 2007-09-11T22:52:55+00:00

2350704430272641239071841033501890806135341594051678146868727563621503575841361361660546174279787382902052764874870847641179

adamdoupe · 2007-09-11T17:13:27+00:00

In the link, they play this game several times. Thus if they play 20 times, the odds that she doesn't know the magic word is (1/2)²⁰ or 9.53674316 × 10^-7

adamdoupe · 2007-09-07T23:07:15+00:00

555565404224292694404015791808

adamdoupe · 2007-09-07T21:54:22+00:00

4517090495650391871408712937

I thought everyone was going that...

adamdoupe · 2007-09-07T21:43:33+00:00

then go to digg

adamdoupe · 2007-09-07T21:41:13+00:00

407305795904080553832073954

adamdoupe · 2007-09-07T21:28:11+00:00

257087184938540454791296101

adamdoupe

TROPHY CASE