fsebugoutzone.org:9999

       Post ASdnprXgU2B4TGQZ9s by adam@hax0rbana.social
 (DIR) More posts by adam@hax0rbana.social
 (DIR) Post #ASdlpImtV6TMlz9A92 by magnetic_tape@infosec.exchange
       2023-02-10T10:18:55Z
       
       0 likes, 0 repeats
       
       Do any infosec peeps here have experience and tips on running/hosting smoothly a #CTF event? Maybe technical tips but also all the little things which improve the overall participant experience. I&#39;ll be hosting one (physical, not online) goodies and food are mostly sorted but I have question about having music while the event is running because I&#39;m not sure if it&#39;s a good idea. Also I&#39;ve got question about providing power to 60+ participants safely. I&#39;ve been to LAN parties younger but never though much about those.If there are good ressources out here (feedback from organisers, blog post) I&#39;m all ears!Tagging @wrongbaud and @cybergibbons for good measure
       
 (DIR) Post #ASdlpJPtA7fGivOIvQ by adam@hax0rbana.social
       2023-02-13T15:11:11Z
       
       0 likes, 0 repeats
       
       @magnetic_tape @wrongbaud @cybergibbons Hi there. I co-founded and ran open CTF for 5 years at DEF CON. I&#39;ve also played in other people&#39;s CTF games, developed challenges professionally.I&#39;ll try to give a concise list of lessons learned &amp; share some &quot;fun&quot; stories- Don&#39;t depend on internet access- Test your scoreboard- Make sure your network works as expected- Have backups of everything- Have challenge authors on standby to troubleshoot
       
 (DIR) Post #ASdmPskVH4AMjLTHIO by adam@hax0rbana.social
       2023-02-13T15:17:44Z
       
       0 likes, 0 repeats
       
       @magnetic_tape @wrongbaud @cybergibbons Depending on good internet access has ruined  many CTF games. It&#39;s largely outside of your control so if there is an issue, there&#39;s little you can do about it. Running everything locally enables you to fix any* problems that come up.* unless your router dies and you don&#39;t have a backup, then you&#39;ll buy a different brand router on the spot and find someone to program it while everyone waits
       
 (DIR) Post #ASdn2XCLKm63BWvLKy by adam@hax0rbana.social
       2023-02-13T15:24:47Z
       
       0 likes, 0 repeats
       
       @magnetic_tape @wrongbaud @cybergibbons One year, we had a scoreboard that couldn&#39;t handle the load from all the servers (we had been testing each service sequentially, not all of them at once). This not only meant that teams couldn&#39;t tell if they successfully completed the challenge, but the scores weren&#39;t being recorded (our game gave teams more points the longer they held a flag, so this was very important for us).
       
 (DIR) Post #ASdnRmH4Pym1BOAiTw by adam@hax0rbana.social
       2023-02-13T15:29:19Z
       
       0 likes, 0 repeats
       
       @magnetic_tape @wrongbaud @cybergibbons This one time, we forgot to change the root password on a machine, so it was like password1 or something. Oops!A team found it within minutes (good on them!) and pulled some clever tricks (like modifying the scripts that call cron jobs to give them the flag). It took us a while to figure out how they kept capturing the flag that wasn&#39;t on the network. The next year we had VMs &amp; snapshots.
       
 (DIR) Post #ASdnprXgU2B4TGQZ9s by adam@hax0rbana.social
       2023-02-13T15:33:40Z
       
       0 likes, 0 repeats
       
       @magnetic_tape @wrongbaud @cybergibbons Finally, challenges will break and most of the people running the event won&#39;t know how to fix them. Try to make sure at least one person other than the challenge author is familiar with each challenge. Also, be able to tell a failure from expected behavior.Manage expectations of the players. &quot;Yeah, the author went to see talk X, we&#39;re going to have them look at it when they get back&quot;.
       
 (DIR) Post #ASdogx8KQVwb9vsngG by adam@hax0rbana.social
       2023-02-13T15:43:15Z
       
       0 likes, 0 repeats
       
       @magnetic_tape @wrongbaud @cybergibbonsBonus suggestions: if time allows...- have someone play test each challenge before the event- write a solver script so anyone running the contest can check to see if a service is working properly- monitor service uptime with something like Nagios so you know when things go down and can respond proactively- Write documentation for both staff and players for every challenge
       
 (DIR) Post #ASdtGCoMWn0RjfbpmC by magnetic_tape@infosec.exchange
       2023-02-13T16:34:24Z
       
       0 likes, 0 repeats
       
       @adam these are excellent tips thanks you. I don&#39;t rely on the internet for most things in my life so this will be a fully local and frugal (no power wasting challenges like bruteforcing and I&#39;ll setup a dedicated category for players who will use the less energy to play this event) CTF.I&#39;m also thinking about a way for players to buy hints for some challenges in exchange of points, but I don&#39;t want to add too much features on my framework as I want it to be as light and minimalist as possible!
       
 (DIR) Post #ASduW4qlzjeDdFrvpQ by adam@hax0rbana.social
       2023-02-13T16:48:31Z
       
       0 likes, 0 repeats
       
       @magnetic_tape We told everyone that we accepted bribes in exchange for hints. Or people could come up and just ask questions about challenges and we&#39;d help them out.