Forwarded from: sk00t <sk00t (at) cipherpunx.org>
[ New contest for those attending Defcon 15 - WK ]
http://ownthebox.cipherpunx.org
https://forum.defcon.org/forumdisplay.php?f=337
# Øwn the box? Own the box!
Are you a defensive ninja? Are your services unbreakable, your builds
airtight? Do your countermeasures have countermeasures for
counter-countermeasures?
So prove it, bucko... Bet your box on it, on the most hostile network in
the world.
Bring your laptop/server/desktop, hardened to the nines, running exactly
two (2) visible services, to our specs, and we'll offer you up for the
slaughter.
The first person to compromise you walks away with your gear. When
you're øwned, you're owned. It's that simple. The last box(en) standing,
unowned, wins, and the winner(s) can take his/her precious back home,
safe in the knowledge that if it survived at DC, it can survive
anywhere. Plus, get cool prizes and mucho street cred.
For the other side of the fence, the reward is clear... Pick your
target, Øwn the box, and own the box. A shopping spree for the elite.
# CFB: Call for Boxen
Vendors, hardening projects and security-centric distros? Random people
with Crays in their basement? Bring your gear, plug it in, and prove
your worth. Earn cool prizes (we don't know what yet, but they'll be
cool, we promise) and earn mucho street cred.
If we don't see at least two boxes from the OpenBSD folks, and
Adamantix, Hardened Gentoo and others, we can only assume you're
nancy-boys. Here's a chance to put your money, and your gear, where your
mouth is.
But what about Vista? OSX? Quick Bill, tear the BlueHat boys away from
their X-Boxes and get to work! Steve, bring the OSX security team (you
have one, right?) back from the Ashram and tell them they have a chance
to redeem their Karmic energy from the last few 0day embarassments!
And how about the freaky stuff? Amigas running Cern httpd on Plan 9?
Pocket calculators with IP stacks? Bring it on. We have at least one C64
coming that we know of, but we want more.
For our part, we'll make sure the scenarios are real, and everyone gets
a fighting chance. We're putting some of our own gear up for grabs as
well.
To sign up, post on the DC forums, or send a mail to ownthebox {at}
cipherpunx {dot} org.
# Whiskey Tango Foxtrot?
This is all started with Dragos Ruiu's "pwn to own" contest this year at
CanSec West with two Macbooks up for grabs, so much love and respect for
the idea.
Seriously, thanks, man. (Hey, the dude has a sword...) But it got us
thinking, why not extend the concept a bit and ask the entire DC
community to pitch in?
We also thought the idea of something more casual, extending on the
attackers / defenders scenario, would be fun... CTF and aCTF are
awesome, but they're a lifestyle choice. Competing means giving up the
B&W Ball, talks, and all else that is DC. The goal of this contest is to
give attackers and defenders a chance to prove their worth, without
giving up the rest of con, with some obvious real-world stakes.
# Rules, Regs, Reqs
Defenders:
You will need to bring a machine running two visible services, that
actually work, and do stuff, something beyond just a vanilla install of
WhizzBangOS 9.0 with the latest patches. Be prepared for handling local
/ authenticated users as well. We're going to be a bit intentionally
vague until closer to the con.
Mail the address in the Call For Boxen for more detail. You will be
placing a file somewhere on the box with a large random value, which can
only be known to someone who successfully compromises the box. Expect
this to not be easy, but expect it to be fair as well.
Once you bring the box in, and cable it up, you will walk away until the
end of the contest. You do not get to watch it, monitor it, or give it
hugs and kisses. Imagine you're a sysadmin taking the weekend off in
Vegas. Oh, wait...
Attackers:
Anyone can play, and everyone at con is a potential attacker. As long as
you have an ethernet port, you will have access to the targets, on a
local LAN. They may even end up on the DC Wifi, we're not sure yet.
We'll provide the IP ranges and a scoreboard of what's available. If you
can supply us with the random value placed on the filesystem of the box,
you get the box. Stupid things like DOSing will be kind of pointless,
but if you do them we will make sure Bad Things happen to you, okay?
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 14 2007 - 23:51:12 PDT