How to Win Def Con's Capture the Flag Contest 
By Riley Eller

Riley Eller gives us inside hints on coming out on top of Def Con's hacking competition,

First, let me describe what Def Con's Capture the Flag Contest is. As you'll see on the show tonight, a few hacker teams cram into a huge smoky room every summer to show their stuff.

The contestants have their eyes on a group of about a dozen computers, each prepared lovingly to attract attention and repel intrusion attempts. Successfully penetrating the security of one of these machines is worth a point. The team with the most points in 48 hours wins a little cash and a lot of bragging rights.

What makes a good team
After winning the last three contests, the Ghetto Hackers team hung up its collective xterm and switched into the role of host. While the rules are going to change quite a bit this year, the traits of a winning team won't.

Good teams will have a skilled site cracker, reliable laptops, a farm of computers back at home prepared to compile exploit code, mirrors of several full-disclosure websites, and a leader to balance the team's efforts against likely targets. Good teams don't often win.

Avoid being worn down

If you've heard of the contest, you might expect that the most skilled or knowledgeable hackers would triumph. However, Capture the Flag is a contest of frustration. So winning teams will have music, entertainment, loud voices, pretty wallpapers, and anything else they can imagine to battle the stress, frustration, and exhaustion that comes with the game.

They will understand the rules, analyze them for weakness, and plan to exploit loopholes immediately after the starting announcement. Serious teams lose because they give up too soon. Even amazingly wide security holes can go unnoticed for the weekend only to be exploited minutes after the contest has ended.

Top five traits of winners
With that advice out of the way, here are my top five traits of a winning CTF team and advice to would be contenders.

5. Winners are prepared
You should bring extra batteries, CAT-5 cable, cash, laptops, MP3 players, paper and a writing device, and lots of diet supplements such as bottled water, Red Bull, Coca-Cola, and sundry liquid refreshments.

4. Winners have fun
You should not play the game if you don't plan to enjoy yourself. Go with a team of friends or introduce yourself to a bunch of strangers and give them gifts. Bribery makes fast friends. Eat with your team, joke with them, and see the nightlife with them. It is nearly impossible to maintain your concentration, much less consciousness, for two days straight, so you'll need massive doses of stress and anxiety relief. Having fun is the first, best line of defense against banging your head repeatedly into walls and tables.

3. Winners are skilled
You should brush up between now and summer. Read the security sites, learn the exploits, compile and test them on your home computer (after you back it up). Be prepared to apply your knowledge to similar, hard problems.

2. Winners are sneaky
You should be comfortable "cheating" so long as you aren't cheating. Past rules have prohibited denying others the ability to participate. Everything else has been fair and expected. Bribery is frowned upon but not technically illegal. The astute reader recognizes that "not technically illegal" means the same as "technically legal."

1. Winners are persistent
You should stretch often, eat as well as possible, and plan to lose two days of your life to the game. Taking a break is tantamount to surrender, so be sure part of your team is playing at all times -- even after the doors close at night. All the greatest stories from the contest happen in the last 12 hours.

I mentioned in passing that the game would change this summer. The format will set each team as a contracting corporation competing to be the most profitable after a 48-hour review. Server administration will be a requirement for each team, the initial playing field will be leveled by audited functionality requirements, brute-force solutions will be punished in scoring dollars, and several real-world hacking skills will be rewarded. The full announcement will be available soon from the Def Con website and also from the Ghetto Hackers.

As well as being a member of the Ghetto Hackers, Eller is also security architect for Internet Securities Advisors Group.

Posted on April 19, 2002

© TechTV