[ISN] CFB (Call for Boxen) 0wn the box? Own the box!

From: InfoSec News (alerts@private)
Date: Thu Jun 14 2007 - 23:31:50 PDT


Forwarded from: sk00t <sk00t (at) cipherpunx.org>

[ New contest for those attending Defcon 15 - WK ]

http://ownthebox.cipherpunx.org
https://forum.defcon.org/forumdisplay.php?f=337


# Øwn the box? Own the box!

Are you a defensive ninja? Are your services unbreakable, your builds 
airtight? Do your countermeasures have countermeasures for 
counter-countermeasures?

So prove it, bucko... Bet your box on it, on the most hostile network in 
the world.

Bring your laptop/server/desktop, hardened to the nines, running exactly 
two (2) visible services, to our specs, and we'll offer you up for the 
slaughter.

The first person to compromise you walks away with your gear. When 
you're øwned, you're owned. It's that simple. The last box(en) standing, 
unowned, wins, and the winner(s) can take his/her precious back home, 
safe in the knowledge that if it survived at DC, it can survive 
anywhere. Plus, get cool prizes and mucho street cred.

For the other side of the fence, the reward is clear... Pick your 
target, Øwn the box, and own the box. A shopping spree for the elite.


# CFB: Call for Boxen

Vendors, hardening projects and security-centric distros? Random people 
with Crays in their basement? Bring your gear, plug it in, and prove 
your worth. Earn cool prizes (we don't know what yet, but they'll be 
cool, we promise) and earn mucho street cred.

If we don't see at least two boxes from the OpenBSD folks, and 
Adamantix, Hardened Gentoo and others, we can only assume you're 
nancy-boys. Here's a chance to put your money, and your gear, where your 
mouth is.

But what about Vista? OSX? Quick Bill, tear the BlueHat boys away from 
their X-Boxes and get to work! Steve, bring the OSX security team (you 
have one, right?) back from the Ashram and tell them they have a chance 
to redeem their Karmic energy from the last few 0day embarassments!

And how about the freaky stuff? Amigas running Cern httpd on Plan 9? 
Pocket calculators with IP stacks? Bring it on. We have at least one C64 
coming that we know of, but we want more.

For our part, we'll make sure the scenarios are real, and everyone gets 
a fighting chance. We're putting some of our own gear up for grabs as 
well.

To sign up, post on the DC forums, or send a mail to ownthebox {at} 
cipherpunx {dot} org.


# Whiskey Tango Foxtrot?

This is all started with Dragos Ruiu's "pwn to own" contest this year at 
CanSec West with two Macbooks up for grabs, so much love and respect for 
the idea.

Seriously, thanks, man. (Hey, the dude has a sword...) But it got us 
thinking, why not extend the concept a bit and ask the entire DC 
community to pitch in?

We also thought the idea of something more casual, extending on the 
attackers / defenders scenario, would be fun... CTF and aCTF are 
awesome, but they're a lifestyle choice. Competing means giving up the 
B&W Ball, talks, and all else that is DC. The goal of this contest is to 
give attackers and defenders a chance to prove their worth, without 
giving up the rest of con, with some obvious real-world stakes.


# Rules, Regs, Reqs

Defenders:
You will need to bring a machine running two visible services, that 
actually work, and do stuff, something beyond just a vanilla install of 
WhizzBangOS 9.0 with the latest patches. Be prepared for handling local 
/ authenticated users as well. We're going to be a bit intentionally 
vague until closer to the con.

Mail the address in the Call For Boxen for more detail. You will be 
placing a file somewhere on the box with a large random value, which can 
only be known to someone who successfully compromises the box. Expect 
this to not be easy, but expect it to be fair as well.

Once you bring the box in, and cable it up, you will walk away until the 
end of the contest. You do not get to watch it, monitor it, or give it 
hugs and kisses. Imagine you're a sysadmin taking the weekend off in 
Vegas. Oh, wait...

Attackers:
Anyone can play, and everyone at con is a potential attacker. As long as 
you have an ethernet port, you will have access to the targets, on a 
local LAN. They may even end up on the DC Wifi, we're not sure yet.

We'll provide the IP ranges and a scoreboard of what's available. If you 
can supply us with the random value placed on the filesystem of the box, 
you get the box. Stupid things like DOSing will be kind of pointless, 
but if you do them we will make sure Bad Things happen to you, okay?




_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 14 2007 - 23:51:12 PDT