Some Fun

This year, faculty (i.e., ek & ck) were also officially allowed to take part in the contest so they contributed and actively took part. The TU Vienna participated in the contest with the following unforgettable team and managed to win the contest! (great job folks!):

Team Name: We_0wn_Y0u

Team Members (sorted by last name):

• CHRISTIAN "Ghost Soldier X" BIESINGER
• ADRIAN "Warez Ninja" DABROWSKI
• JOHANNES "Blue Badger" DUENSER
• VLADIMIR "Uber Wing" DRIENOVSKY
• MANUEL "The Pizzaman" EGELE
• HANNO "Neon Smurf" FALLMANN
• BENEDIKT "Black Doom" HUBER
• NENAD "The Static" JOVANOVIC
• MARKUS "'Hex Cypher" KAMMERSTETTER
• SYLVESTER "Script Gimp" KEIL
• CLEMENS "Gray Bios" KOLBITSCH
• CHRISTIAN "Electric Storm" LUDL
• FLORIAN "Demon Adapter" LUKSCHANDER
• GILBERT "Uruk-hai" MARC WONDRACEK
• DAVID "Fire Sniffer X" MARKVICA
• MARCUS "Merciless Mercury" MEISEL
• SEAN "Parallel Maniac" MC ALLISTER
• WOLFGANG "Extreme Nexxus" MIEDL
• ANDREAS "The Magnificent" MOSER
• FLORIAN "The Braveheart" NENTWICH
• THOMAS "Master Mage" OGRISEGG
• JOSEF "Caffiene Wizard" PFLEGER
• CHRISTIAN "Omega Hash" PUCHER
• THOMAS "Cryptic Circuit" RAFFETSEDER
• DANIEL "Disco Soldier" SCHEIDLE
• STEFAN "Lawless Skeleton" SLABY
• MARTIN "The Postman" SZYDLOWSKI
• PETER "Demon Data" WURZINGER

The first team members started arriving at around 15.00. These were mostly lab members who were hoping to "secure" the most comfortable seats (experience pays off folks :-)).

It took about an hour for everyone to settle in and the CTF room became quite crowded. Hence, some people had to move to the ti-lab that is next to the CTF room. Once we settled in, the new CTF participants (i.e., the majority of the CTF team) were briefed on the details of the CTF and our infrastructure.

The contest was supposed to start at 17.00 our time, but there were some delays and we received the key for the image at around 18.00. This actually was not too bad for us... the new Netgear switch we had just bought for the CTF gave up at some point and many people were disconnected. So we had to go to the server room and get a switch from there (which means we had to disconnect some stuff ;-) -- eeehm... oh, well...).

UCSB had promised a big surprise this year. We did not know what was coming, but had a gut feeling that we were going to get some system like Open BSD or Windows (shiver). That would have meant looking up stuff using Google most of the time and the fun factor would have decreased. Luckily, the image was Ubuntu :-) However, the big surprise was the scoring system... it was not a Capture the "Flag" contest anymore, but a Steal the Money contest ;-)

The game was completely different this time. Every team was a bank, there was a limited amount of money, and the aim was to steal money from other teams. The first thing we had to figure out was how money transactions worked. This was easier said than done. If you get a system without any documentation (and partially no source code), even "simple" things can become complex ;-) After about half an hour, we found out how to make transactions. At the same time, small groups of people were working on the services. Everyone was trying to patch their services and write exploits that could be used on other teams.

We tried out a couple of exploits, but were not sure if they were working. It is difficult to debug something if you do not know if the way you are doing transactions is actually correct. Luckily, after a couple of rounds, our account balance started to increase and we started becoming confident that we were doings things right.

During the entire contest, we managed to stay in the top 5 lists for the most reliable services and the best hackers. For quite a while, the Wizards of DoS (good folks from TU Darmstadt) were leading the "best hackers" list. However, our advantage was that we were in both lists and were also getting defensive points. That probably made a difference. Furthermore, once in a while, we received interesting challenges (so called quests) from the central bank (i.e., UCSB) that brought money if they were solved fast. We managed to solve quite a number of quests.

So are we the best security guys in the world now (like 0ld Europe [Aachen] announced last year after they won *grin*)? It is cool to think so, but it is important not to forget that this is just a game. In such a large-scale game, some teams may get disconnected, some may have difficulty with English, or they might just have a bad day. Some may be good binary guys and they might get unlucky if no binary services are provided. Nevertheless, in the history of the CTF, we always made it into the top 3 so we are pretty happy about that ;-) Winning, of course, is fun, but the main objective is to train the security skills of participants. Each CTF teaches something (for example, we had some complicated exploits running, but failed to fix some standard simple config issues and as a result, some user accounts got compromised). The most important aspect of the excercise, of course, is to have a lot of fun.

Here is a screenshot of the trend scores at the end of the game. Here are the final scores.One challenge for every team was to make a video with at least 10 team members who were supposed to dance ;-) We did not know what this was for, but found out at the end. Check out all participants and the announcement of the winner with the video.

Check out the pictures from the CTF.

You can also check out some partially exaggerated press reports [in German] ;-) We would like to thank every one for taking note of this fun contest:

• Heise News
• Pressetext
• Computerwelt
• Wien Web
• Inside IT
• Telekom Press
• ORF
• Der Standard
• Wiener Zeitung
• Kronen Zeitung
• Die Presse

Oh yes, here is a funny TV interview video -- Enjoy ;-) (Note that Markus is actually writing a hello world program and is then looking at it with hexdump, gdb, etc. *grin*). You might also like to read this Slashdot article. Rule number 2 also applies to this video, but hey, it looks cool and the avarage viewer is impressed, right? :-)