Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Dreaming of Summer

From: <ph00dy () hushmail com>
Date: Sun, 7 Dec 2003 16:10:58 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey *,
  Sorry to chime in on this so late, but I've been too busy to read email
as of late and couldn't resist on the reply. Ctf was a sysadmin contest.
Not by design of the contest as much as the scoring. The scoring focus
was on uptime instead of roottime(tm). Look at the results. Anyone who
was there will remember ceasar talking about how "sharkbait" had owned
* many times over and had thier flags all over everyone, but somehow
they got 3rd because the other teams had better uptimes. It's the ghetto
crew's deal so they can score it however they want (which was a mystery
to everyone watching the board as it went up and down for no particular
reason), but in my mind a contest of that nature should probably have
more focus on who's owning who and for how long and less on if your mudd
is up or not.

Also... no disrespect to anyone but I'd also like to say that my perception
of a "secured build" generally isn't one with sql injection vulns, bad
passwords, vulnerable applications, trojained binaries, and configuration
files with passwords sitting on the / of the webserver running on openbsd,
 but that is just me.

All that being said it was still fun.

ph00dy


Actually, that's very much what the game was like last year- They
gave
us
a relatively secured build with lots of insecure e-biz-type apps
running
on it. You got points for keeping them up for extended periods and
also
for
capturing and then keeping a service.

The games have been fairly interesting the last two years.

t

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of David
Maynor
Sent: Saturday, December 06, 2003 8:54 AM
To: Brass, Phil (ISS Atlanta)
Cc: dtangent () defcon org; dailydave () lists immunitysec com
Subject: RE: [Dailydave] Dreaming of Summer


On Sat, 2003-12-06 at 11:35, Brass, Phil (ISS Atlanta) wrote:

Screw defense.  You come in with whatever equipment you want.

The
host

sets up a set of targets.  You attack them.  Maybe there's a duplicate
set of targets, one for each team.  Maybe there's just one set

(more

chaotic, IMHO).  You get points for taking control of target services
and/or networks.

That gets rid of the sysadmin aspect.


I like the aspect of holding the service after its owned. At this
point
you have to consider the switch vs. no switched network. If everybody
i
attacking the same machine, tcpdump caps are trivial meaning that
teams
could gain access just by copying other teams.

I would be infavor of something like a themed contest. For instace
this
year we have a ecomm site running on a trusted OS. There is a series
of
points awarded for how far you get. This deep sixes competeing against
other teams and makes it more blackhat like, its your team vs the
target.
--
David Maynor
http://www.0dayspray.com/~dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave



-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj/TwiYACgkQI04fV6DUWemOtQCfaE1BX6aaoK3KMLW9MmwdufNMBOkA
n1UWKQkjNbgSaFCKCR6YUPDbGKdp
=WxB3
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: