The traditional Winter Attack-Defense Spree is over, and what can I say…
RuCTFe 2013 rocks
First, let’s begin with RuCTFe 2013.
RuCTFe is an annual competition hosted by Hackerdom. 2013 was its 5th year.
RuCTFe is perhaps the most Classic Attack-Defence out there. Since its first year, the rules stay pretty much the same: there is a vulnbox with a pack of services, you gain points for attacks, you gain points for keeping your services up and unpwned.
This year Hackerdom experimented with scoring, making it Attack * SLA, which raised SLA valuability a whole order of magnitude, but well, it worked fine for us :)
The thing to highlight is the flawless organization and zero fuckup level this year. That’s definitely something hard to achieve for an A&D. Nice job!
iCTF 2013 is fine
Going backwards on the timeline, iCTF 2013.
iCTF is one of the most aged and respectful international Attack-Defence CTFs and has been hosted by UCSB for the 11th year in a row.
iCTF is the most Stochastic Attack-Defence competition. One can never guess what to expect from a next iCTF. Every year the organizers at UCSB seem to roll huge dice with CTF legend ideas and infrastructure layout. This year, the infrastructure die rolled out the same thing as previous year. Rare case!
Anyway, iCTF is fun each year, expecting the teams to understand game mechanics first instead of plain hacking.
My opinion: the mechanics turned out to be too random this year. Seems like only the last 1/4 of the game is where you actually get scores (the point reset thingy), and the “turn off opponent’s exploits” is imba since there is no way to escape it.
rwthCTF 2013 is nice, organizers are utter assholes
This year’s rwthCTF was the most Assholish Attack-Defence competition. Challenges were fine. The idea with separate ARM service was nice, although it has immediately cut down the number of teams to 64.
The phailure was organization. Imagine a situation like this:
Your team is having a good luck in a CTF, and holds 1st place pretty confidently for 8 hours straight, out of 10h total playtime. 2.5h before the end, you exploit a new vuln in the service, and – bingo! – 90% of your opponents are still vulnerable. Woot! pretty awesome scenario, right? You’ve been lucky enough to trade your effort for a hard exploit that can give you many flags and increase your lead :)
Using the vuln you found, you begin stealing flags from all other teams, and also start removing flags from their boxes for them to lose defence points. Everything goes well, you get a 50 “Congratulations, you have scored a point!” scorebot messages every few minutes, nice! Then after a few minutes you start to notice that your score isn’t growing that fast :-O
Actually, it seems like none of the flags that you’ve stolen from that service get counted. You PM an organizer asking to look into the issue. “Hm, the flags are in the database – they should have been counted” is his answer. OK, you wait, maybe it’s just not displaying the score properly because of caching or something… Nothing. You continue to bug the org about this thing, and – at last! – after almost an hour he responds “Oh apparently the flags weren’t counted because you delete them from opponents’ boxes. Now we changed the scoring logic so flags should be counted fine”
Oh thank you, – you think, – but we’ve had this issue for an hour already and have lost a ton of points, can we get those re-counted since you have them in your DB? – “Meh, well… maybe we’ll talk about that later…”
WTF?! As you can tell from the numbers, your team would have twice as much points at that moment, if your flags were being counted properly.
So anyway, while the org is doing nothing and the game is ending its course, two other teams overcome you, and you’re on 3rd. The game ends. You remind the org about score recalculation. He starts debating with the CTF dev team about how much points your team has lost, it turns out if orgs do a recalc, you win the ctf – 1st place instead of 3rd. At the same time, he tells you that you’re the wrong party here: you shouldn’t have removed the flags from opponents’ boxes, irregardless there is no such rule in any CTF. Also it’s 5am at your place and you’ve been pwning for 10 hours straight, and they’ve been supporting the infrastructure for 10 hours straight, so everyone’s irritated as hell.
Finally, guys from 1st and 2nd place teams start whining and the orgs decide to do nothing. You’re on 3rd while having pwnd enough to be 1st.
Surrealistic? Well, that’s what was actually happening.
The day after, after having some sleep and relieving from CTF hangover, I have another discussion with that org, about why they decided to do that – and instead of even admitting he’s wrong, he tells me like, “that was the rule dude, you shouldn’t have removed the flags” and claims that i’m the asshole here for bringing it up again. :-(
Gathering it all together:
- The game has a rule which isn’t in the rule set – teams have no way to find it out
- In fact, in the rule set there was this (like in any other A&D CTF): “However, if other teams manage to delete your flags, you will not receive points” – in my opinion meaning exactly “if you want opponents to lose defence points, delete their flags”
- The scorebot responds “Congratulations, you have scored a point!” when you post the flag – like you would expect on any CTF – but doesn’t actually add any points
- When you ask the orgs about why the flags aren’t counting, it takes them a fucking hour to figure out this rule
- We lose 1/3 of our points because of the rule, and the only thing orgs are doing is saying “oops, sorry for not telling you about that rule”
- Orgs refuse to publish the game logs for everyone to see
For the historical purposes, here are the text-fighting logs
Don’t know whose decision it is, but in my opinion that’s not how any competitions should be organized.
/!\ Asshole alert /!\