ie8 fix
madison

Real World IT

George Ou
Home / News & Blogs / Real World IT

Elite programmers compete in CTF at DEFCON

By | August 8, 2006, 3:08am PDT

Summary: Members of the winning team 1@stPlace after 2 day marathon At this years CTF (Capture the Flag) competition at DEFCON 2006, elite programmers and security penetration experts duke it out in a grueling two and a half day competition.  Out of hundreds of teams that signed up for the competition, only eight qualified for the finals [...]


Members of the winning team 1@stPlace after 2 day marathon

At this years CTF (Capture the Flag) competition at DEFCON 2006, elite programmers and security penetration experts duke it out in a grueling two and a half day competition.  Out of hundreds of teams that signed up for the competition, only eight qualified for the finals in Las Vegas.  Team "1@stPlace" won the prestigious CTF competition by out hacking out Pwning (owning) the competition.

Every team was given their own custom application server to host which they had to keep operational as much as possible while trying to break in to the other team’s servers.  The teams were not given the source code of the application server but were expected to patch it on the spot and find vulnerabilities in it to exploit the other competing teams.  Each team was only allowed to have 10 players in the pit area and was allowed to rotate team members out.


The pit area where teams fought their way through CTF

Even though the pit area closed down for a few hours in the early morning after 1:00 AM, the teams still worked on their strategy all through the night.  Some of the players didn’t sleep for 30 or more hours straight.

It would be fairly safe to say that if any of these teams were turned loose on a typical corporate network to perform penetration testing, they would probably own the system in a matter of hours.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Real World IT”

Topics

Disclosure

George Ou

http://blogs.zdnet.com/Ou/?page_id=557

Biography

George Ou

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
11
Comments
Add Your Opinion

Join the conversation!

Just In

This was my first DEFCON
georgeou 9th Aug 2006
I was going to go last year, but my last job got busy and I couldn't go. I missed all the excitement with the Cisco lawsuit threat and everything.

I would recommend going to DEFCON if you can, tickets are only $100 but the expensive part is getting there and the hotel obviously but you might be able to share a room. Heck, most of these guys didn't even sleep, lol. They just partied all Friday and Saturday night. I guess you'll just need a place to crash and shower at most.
View in thread
0 Votes
+ -
Mmmm... A Security Man's Dream
nucrash 8th Aug 2006
I wish I was even partially as good as those guys to compete on their level.
0 Votes
+ -
don't get discouraged
psifertex 8th Aug 2006
Of course they took the picture ~after~ I had left the competition. Here's another one with all the team members identified:

http://flickr.com/photos/psifertex/209142150/

Anyway, don't get discouraged nucrash, many of us even on the winning team were relative noobs to reverse engineering and exploit writing until very recently. In fact, Atlas, our team captain presented at Defcon on the very subject of how he went from not knowing much of anything to winning the individual category at last year's CTF. Check out his blog here:

http://atlas.r4780y.com/

He'll be posting an updated version of the presentation there sometime soon.
0 Votes
+ -
Where do I start?
nucrash 8th Aug 2006
I am reading about security right now, and am enjoying some of Dave Aitel's books. I am also reading about Joanna Rutkowska and her Blue and Red Pills.

Security is still a bare for me, but I would like to work with it more and more.
0 Votes
+ -
try these...
psifertex 9th Aug 2006
Well, to start with, check out Atlas' presentation:

http://wantingseed.com/raw/TheMakingOfAtlas-dc-06.pdf

Also, Hacking: The Art of Exploitation (whose cover you'll see in the presentation) is highly recommended. It does a good job of explaining the basics of exploit writing, anyway, though there's a lot more to it than that.

The main key is to keep doing it. If you want some practice, go through the qualifying tournament for this year's CTF competition. Team 1@stplace (though most of the work was done by drb, one of the members), put up a site that has all the challenges with explanations. Try not to read the explanations until after you've really worked on the challenges:

http://nopsr.us/ctf2006prequal/
0 Votes
+ -
Elite?
TonyMcS 8th Aug 2006
While I understand the enthusiasm breaking in and destroying things, I question whether these people should be described as elite.

Creation is always harder than destruction and I don't think many of the people on the winning team would be capable of building the things they are trying to destroy.

Given our current mountain of malware, promoting this type of behaviour as exciting and as elite programming is a little naive. Yes, I'm aware that these little contests may expose weaknesses, but promoting them just encourages idiots to try in the real world.
0 Votes
+ -
Not just breaking in
georgeou 8th Aug 2006
They're reverse engineering and patching code for which they have no source in real time within the 2.5 day period. They're not just breaking things, trust me on that one. It's fair to call them elite programmers.
0 Votes
+ -
You keep using that word...
psifertex 9th Aug 2006
Thanks for the additional explanation, George.

What Tony may not realize is that every one of us on Team 1@stplace is either a security professional, programmer, or other legitimate techie. We're not illicit hackers cracking programs for profit in our spare time.

We do this for fun and real world experience for our jobs. For example, reverse engineering and exploit writing develops abilities that are crucial to reverse engineering and analyzing viruses or other malware that I encouter routinely in my day job.

So yes, while in general we might not all be elite programmers (heck, I reverted to using bash to break the weak crypto in the pre-qualifer:
http://nopsr.us/ctf2006prequal/walk-binary.html), but it takes a variety of different skills and abilities to pull off what we did, and every single skill we exercised has direct benefit to very legitimate activities.
0 Votes
+ -
honorable george ou
at1as 9th Aug 2006
Hey George,
Been great to show up on your site. Your work
on wireless has been very helpful for me and my
learning about EAP. Much respect from this end.

atlas
0 Votes
+ -
Thanks for your comments
georgeou 9th Aug 2006
Thanks for your comments
0 Votes
+ -
Thanks George.
Xwindowsjunkie 9th Aug 2006
I've been reading your coverage of DEFCON. Never have gotten a chance to attend in person. Thanks for covering as much of it as you have.
0 Votes
+ -
This was my first DEFCON
georgeou 9th Aug 2006
I was going to go last year, but my last job got busy and I couldn't go. I missed all the excitement with the Cisco lawsuit threat and everything.

I would recommend going to DEFCON if you can, tickets are only $100 but the expensive part is getting there and the hotel obviously but you might be able to share a room. Heck, most of these guys didn't even sleep, lol. They just partied all Friday and Saturday night. I guess you'll just need a place to crash and shower at most.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix