skip to main content

DEF CON Hacking Conference

Call for DEF CON Capture the Flag Organizers Version 3.0

2017 October 2 (Look, we're ISO compliant!)

Please spread this announcement far and wide!


WANTED:

A dedicated team of hackers to organize with DEF CON the Capture The Flag competition.

WHY:

Past organizers, like a good DARPA project manager, organize for a limited time, generally three to five years. With LegitBS ending their five year reign it is time to invite all those interested in advancing the state of CTF contests to propose how and where they would take the DEF CON CTF.

WHAT YOU GET:

• Everlasting fame and undying glory

• Intrusive media interviews 

• The respect of your peers

• The envy of your enemies (and most of those peers)

• The priceless story of how you revolutionized CTF.

DO YOU KNOW WHAT WE ARE TALKING ABOUT?

LegitBS, following DDTEK, cemented the DEF CON CTF as the World Series of CTF contests with such favorites as “It's all embedded devices!" and “Wait - Windows?” and the sweet curve ball of writing everything to compete against the winner of the CGC at DEF CON 24. What would you do as the organizer?

Here is your chance to step up to a global stage and show off your skills at crafting unique challenges designed to test the world's best CTF teams.

YOUR CONSTRAINTS:

We offer a lot of flexibility for the organizers to create as they see fit: you design the network topology, you make the rules, you decide who wins. We want you to do a lot more than just reproduce any past CTF contest. We want you to think big, push the envelope and change the game.

That said, there are some important constraints. Here is a short list:

- The contest must be head to head combat oriented, not jeopardy style, with a multitude of skills needed to be successful.

- The competing teams will come from a mix of pre-qualification and teams that have won pre-determined CTF contests at other events.

- No less than 10 teams, no more than 20 due to physical space constraints.

- Take into consideration how to make the contest interesting to spectators.

- Clearly be able to explain how scoring works and be as transparent as possible.

- Provide pcaps of the contest that will be shared with the community.

-Clearly communicate the rules to the participants before the contest, set up clear eligibility requirements (if any) before the conference, set up the network, provide any infrastructure that you wish to be part of the game, referee the game while it is taking place, create a scoring system that observers can view to get an idea of what is going on, and determine winners. The easier it is for contestants to understand how to win, the more fair the contest will feel.

-The contest must end no later than 14:00 Sunday at DEF CON in order to provide time for final scoring and the awards ceremony.

YOU MUST NOT:

• Interfere with the DEF CON networks (i.e.: it must be a separate network)

• Interfere with the 'live Internet', involve non-consensual parties (i.e. anyone who hasn’t explicitly agreed to take part in the contests)

• Take bribes that are not equally shared with the DEF CON staff. 

• Take sides - you must be totally neutral and fair.

• Be a black box. You don't have to give away your secret sauce source code, but you need to be transparent in the event the result is cast into doubt.

YOUR SUBMISSION WILL BE JUDGED:

• On any innovations or revolutionary enhancements to the game.

• On the feasibility of your team getting all the work done (note: we will publicly humiliate you if you get accepted and fail to perform!)

• On the amount of fun that participants will have.

• On how your contest contributes to the World Series aspect of the contest.

• On how well final winning team really represents those with the best skills, and not just luck, to come out on top.

CAN YOU SUBMIT MORE THAN ONE CONCEPT?

Yes. But please submit them separately so as to minimize confusion on our end.

WHAT HAPPENS THEN?

Once you submit your ideas we will start communicating with you to clarify anything we don't understand. Feel free to ask us questions so you know what you are getting yourself into. Past organizers did very well because they had a large enough pool of talent to draw upon when building their automated systems, and the time to test them in advance.

RESOURCES WE CAN PROVIDE:

• Badges to the conference and access to the CTF area for setup beginning Tuesday before the con.

• Physical space roughly equal to that which has been provided at past DEF CONs.

• Tables for participants to use. 

• Screens and LCD projectors to display data with.

• Network connections from the net if necessary.

• Some network gear and power strips - please let us know early what you need so we can plan for it.

• Prizes for the winning people or teams, 8 black badges maximum, 8 exclusive DEF CON CTF leather jackets.

• Hotel rooms for the organizers and all the qualified teams.

• Other custom things like art, Easter eggs in the printed program, website, etc.

• Some money to help pay basic costs.  While we don't have a fortune for CTF we can make life easier for the organizers and contestants.

RESEARCH POINTERS:

If you haven't been to DEFCON before, you should understand the environment your contest must operate in! https://www.defcon.org/ will get you started. These may help give you an idea about past contests, what has worked, and what hasn't.

DEF CON CTF Website:
https://www.defcon.org/html/links/dc-ctf.html

LegitBS has documented a lot of their process, and it’s a great resource for learning what goes into making a great CTF.

LegitBS website:
https://legitbs.net/

While you’re on the LBS site, make sure to check out their blog (blog.legitbs.net). They talk about their scoring policies, commitment to transparency and many of the behind-the-scenes challenges in a way that is sure to be useful to first-time CTF hosts.

There’s also a bunch of goodies like LBS’s scoring architecture, qualifications back-end, and some previous challenges:
https://github.com/legitbs

Other Resources:

DDTEK website:
http://ddtek.biz/

Worldwide CTF tracking site:
http://ctftime.org/

Online repositories of various CTF related data:
http://repo.shell-storm.org/CTF/
http://captf.com/

DEF CON 25 CTF Organizer Panel:
https://www.youtube.com/watch?v=MbIDrs-mB20

Psifertex' Defcon 17 Presentation - Maximum CTF:
http://www.youtube.com/watch?v=-6mI3tp6RxI
https://media.defcon.org/DEF CON 17/...Getting the most out of Capture the Flag - Video and Slides.m4v

Ceazar gave a presentation on running hacking contests at Black Hat Asia (learn from a master):
https://www.blackhat.com/presentations/bh-asia-04/bh-jp-04-pdfs/bh-jp-04-eller/bh-jp-04-eller.pdf

A rundown of DEF CON 16 CTF by atlas of team l@stplace (DEF CON 14 and 15 CTF Winners):
http://atlas.r4780y.com/cgi-bin/atlas/2008/08/12

Walkthroughs of the last 2006-2009 CTF Competitions:
http://nopsr.us

Interview with Def Con CTF Winning Team Member Vika Felmetsger (2005):
https://taosecurity.blogspot.com/2005/08/interview-with-def-con-ctf-winning.html

So you want to play a game?

I’M IN! HOW DO I SUBMIT MY REVOLUTIONARY IDEAZ?

1.Fill out the application below. You will receive an acknowledgment that your submission was received within three business days of us receiving it unless we are snowed in and the interwebs are broke.

2.We will use relatively simple criteria to judge your entry.

• Feasibility of your team pulling it off taking into consideration who is involved in your team, resources you have, etc. 

• The amount of fun we imagine the participants will have with your contest.

• The coolness or innovation you bring to the contests.

3.We will contact finalists and ask them further questions, and talk over any questions that we will inevitably have. Please rest assured that we will help get a really good idea over the finish line. You’re not alone in this. 

4.We will announce the winner(s) as soon as we can after the close of the CTF CFP date.

5.We will work out details over the phone, participating in your game creation (not interfering with it, just ensuring everything is going smoothly). We will conference call with you and may fly you out to sunny Seattle to meet with us to discuss planning for the event.

6. If you desire their help LegitBS, just like DDTEK, has volunteered to spend time working with the selected team, answering their questions, explaining their process and what they learned in designing their game. This is a pretty awesome resource -you should consider taking advantage .

APPLICATION:


All contact information will be kept private, and not disclosed outside the DEF CON planning organization.

Name of your organization:
Name of primary contact:
Email Address of Primary contact:
Phone number of primary contact:

The number of people in your organization that will actively be participating in creating the CTF

Experience the team members have had in planning events, and CTF participation experience.

Technical ability of your team. This would include a general list of people's abilities* networking, hardware, etc. and support the idea you can pull this off:

Physical resources, if any, that you will be bringing to help run CTF such as a disco ball, robots or enigma machines to help us plan to accommodate it with the hotel if you require extra power or special fire marshal approval.

EXPLAIN YOUR VISION:

- Explain, in a general manner, your vision for the CTF.

- Talk about your motivation for wanting to put in thousands of hours and take the risk of organizing the DEF CON CTF.

- Explain how you hope the contestants will experience it. For example do they sign up on-line, get a secret package in the mail, start blindfolded with an unusual laptop? Are their certain crisis points you will introduce during the game to confuse or add to the pressure?

- How do players or teams qualify (if there are qualifications)?

- Is it multi player or single-player, or a combination?

- What innovations or new ideas are you bringing to CTF?

- How long will the contest take, will it be 24x7, 8 hour shifts, etc.?

- Explain what you believe is the best way to gauge a hacker's abilities, and how your vision of the contest could do this?

- What technical work is required to execute your plan. This includes setting up environments beforehand, pre-qualification work if any, writing a scoring system, etc.?

- Give an outline of the rules that will be presented to the participants:

- What hardware resources do you request or need from DEF CON?

- Tell us anything else that you think may be important or that we might consider in choosing your group to host CTF.

SEND ‘EM IN!

Deadline is January 1st, 2018. Submissions go to ctf [at] defcon [d0t] org

New announcements will be on the main DEFCON web site as well:
https://www.defcon.org/

Thank you!
The Dark Tangent