A UCSB iCTF event.
Official URL: http://ictf.cs.ucsb.edu/
88 teams total
|Place||Team||CTF points||Rating points|
|6||More Smoked Leet Chicken||62.468||35.289|
|9||Tower of Hanoi||31.775||19.056|
|30||Delusions of Grandeur||8.929||5.444|
|36||Ulm Security Sparrows||4.771||3.327|
|72||Plaid Parliament of Pwning||0.000||0.000|
How can I enter thecontest?
how can i play the contest?
This was definitely the worst iCTF. Though I see the work the organizers have when hosting an attack/defense CTF and I appreciate it, this was just not a fair and fun competition.
First they just reused old services from older CTFs. This means the first 2-3 hours your team just spent googleing for write-ups and adjusting their exploits. Then the CTF had over 40 services. This is just too much for a 9 hour competition. Your team has certainly no chance to look at all services (unless you have a really large team). The reusing part was just the worst of all. This makes this CTF hardly a competition because older teams that played the CTF regularly have a huge advantage because they know the challenges, while new teams first have to read the write-ups and understand everything.
Though, they also had new services. I solved a new one and it was fun. And that is the reason I do not understand why they put up over 40 services ...
I would like to end this comment with a quote: https://twitter.com/fluxfingers/status/586610066046001152 ;)
@Andre: although we won this year, (and I am speaking in my name only, not in my team) you are absolutely right in many aspects. Usually we are playing in a very small team on CTFs, iCTF is our big 'only once a year' gathering, when we invite everyone who is interested in security to see what we do at CTFs. So now there were 30 of us, instead of the usual 2-3-4 (https://twitter.com/CrySySLab/status/586681451007074304). I would be very, very mad for example if only two of us had to process (although the new faces were less effective than us, but their help clearly meant a lot).
On the other side I think we learned a lot and it was our best iCTF so far and not because we won, but because we had enough experience to deal with it. We can manage bigger team better than before, we can choose better strategy over the time. We were the first who successfully uploaded an exploit, because we spend 10 minutes smashing F5 and uploading the collected exploits from the internet (we almost forgot the echo exploit LOL). We did this because it gave us a lot of points of timeliness category. Later we switched to patching, then exploiting.
About exploiting and what I don't really like about attack / defense CTF (in spite of jeopardy): you can steal other team's exploits. It's clearly the best strategy. Much more effort to be the first who successfully exploit a service, than the second one. So we prepared a system which automatically splitted every service traffic and we just grepped for FLG, and copied the exploit payload. In some of the cases, we did not even know which language was the challenge written on. Of course we also exploited services which AFAIK nobody else did (talkun/talkserver and maybe yeesbutno), but it was negligible compared to a jeopardy CTF.
Every iCTF is totally different than the previous ones, but I think it's important that we have this special CTF which brings a large diversity into the CTF scene. In my opinion maybe iCTF changed over the time, but it is still much more better than some other shitty stego / misc jeopardy CTFs nowadays...
Although we didn't take part in UCSB iCTF (we somehow didn't notice the registration deadline) - I think that this CTF is an awesome reason, to finally start the discussion, how the rating weight is awarded to CTFs listed on ctftime.org
Let's check the definition - "weight is an subjective per-event value, depends on tasks and organization level, participated teams" (from https://ctftime.org/rating-formula/)
A subjective opinion has got one disadvantage - people like to ask "why". In the light of the events (it has been said that old challenges had been reused) I got a few questions.
"depends on tasks" - do you really think solving problems to which solutions had been already written-up deserves a lot of points? So what is your measurement of the challenges' quality? Copy-pasting solution is neither entertaining nor difficult.
"depends on organization level" - giving a CTF with reused challenges more points than others (who every single year put an effort to create new, challenging problems to solve) doesn't sound quite respectful for other Orgs, who had been spending a lot of time on preparing their own competitions. There are tons of CTFs here with smaller ranking-weight but which had unique challenges.
"depends on participated teams" - no teams from TOP6 took part in this CTF. Moreover, only 10 teams from TOP50 played it. Again - what is your measurement of the teams' quality, which increase the rating-weight of this CTF?
str str, I haven't answered to your private letter b/c think I should answer in public to clear the air:
1. You haven't participated in this event - what are we talking about?
2. CTF is a time, also a players time, so if people plaid this event (and mostly there were student teams) and got some experience from it - why can't this event have some weight?
You'd understand specific number 42 if you played this CTF, but you haven't.
3. Please, change the tone of the conversation - I don't owe you (or anybody other) anything and don't like the idea to be lectured by strangers for my decisions.
Feel free to join the discussion and propose more clear rating mechanics here:
OK, I'll be answering line by line (hope, you will fix the formatting issues, as new-lines probably won't be displayed).
Ad. "I haven't answered to your private letter b/c think I should answer in public to clear the air":
Nope - we were discussing about rating-weight via email. Then the idea to move that topic in public appeared. You asked about publishing the conversation, I proposed that I would write the shorter version of it - as people tend to read smaller blocks of text (and more people will read - more opinions appear). Funny fact - your comment, which you called "the answer to clear the air" doesn't contain a single answer to my questions :)
Yup, I didn't participate in this event. Neither you did. But I've read comments about this CTF here, on IRC and some other places. That's why I do have an opinion about it. So do you. The only difference here, is that our opinions are different. I've already listed you my reasons, why I think that the rating-weight in this case is too high. However, you are avoiding to present your reasoning.
Yeah, "CTF is a time", I would even say: every CTF is a time. So if it's the only factor of calculating the rating-weight, then every CTF should have the same weight.
To make it clear - I've never said, that rating-weight should be zero'd in this case. It just should be decreased to 10-20 points max.
Ad. "You'd understand specific number 42 if you played this CTF, but you haven't.":
No, I wouldn't understand your enigmatic number 42. Because, sometimes I even don't understand your rating-weight in the CTFs, which we played. That's the reason of my comment. I was wondering, how rating-weight works and I wanted to encourage people to start a public discussion about it. Yeah, I'm using past-tenses on purpose, I did care - now I don't (the reason in the next paragraph).
If you feel somehow offended - sorry, I didn't mean to insult you. Honestly, more offending is your clear disregard for my politely asked questions. Yup, you don't owe anyone, anything. The same - I don't owe you any explaination that attidiute like that will put the deadlock on every possibile conversation, on every possibile topic. I'd rather spend my energy on googling writeups for CTFs, which I missed, rather than trying to change the level of this discussion. EOT - unless you answer my above questions [hint: these ones that end with char "?"].
Just some thoughts:
- "giving a CTF with reused challenges more points than others" -> we counted at least 10 new challenges. There are no more challenges on other attack / defense CTFs. So the reused challenges were more like a plus than replacing the "real" challenges. The problem is that it worth more to solve old challenges than new challenges, so I think a lot of team haven't got to the new challenges and this was not fair.
- "do you really think solving problems to which solutions had been already written-up deserves a lot of points" -> solving a lot of them can be a challenge. Also writing an exploit from a writeup can be just as hard as finding an easier vulnerability and writing an exploit for that. So it was more like a lot of easier challenges. Also they are fixed some old vulnerabilities, so you had to find new vulns in the same challenge.
- "doesn't sound quite respectful for other Orgs, who had been spending a lot of time on preparing their own competitions" -> I think the iCTF organizer team worked at least if not more with this than other CTF organizers. I think you are comparing apples and oranges.
One question though: if they would not reuse the old challenges, only used the new ones would you give more or less points for the CTF? (Pro: it would be more fair to new team and team with less people; con: maybe it would be more easy with less tasks?)