Friday, September 30, 2016

What Makes SkyDog Con CTF Different? And by "Different" I Mean the Best!


When talking with (describing to) people about the SkyDog Con CTF I’m often asked why I setup the CTF as a vulnerable VM rather than a “traditional” CTF. Having given this some thought I decided to write out the things that I love and hate when playing CTF’s and why I do things differently at SkyDog Con.

First, let me start off by saying that I believe CTF’s can be a great way of teaching not only techniques but more importantly critical thinking skills. I've tried to incorporate the need for critical thinking into the CTF by using a theme. The overall theme plays a vital role in solving the CTF because it provides “context” for each flag. Last years CTF was based on the movie “Sneakers” with each of the flags referencing something from the movie. The movie provided the context for the flags. If you didn’t watch the movie then solving some of the flags would be incredibly difficult and take much more time no matter what technique or tool you used. This year is no different. I’ve chosen a new theme and I’m excited to see how people do with it.


Ok so the first issue with a traditional CTF are resources. Particular the hardware needed to run the actual competition. This is usually made up of switches and a few wireless access points. Then there’s also the matter of the server/servers that host the virtual machines that the players are trying to access/pwn in some way in order to discover flags. This architecture immediately introduces two potential bottlenecks that can literally make or break the CTF for everyone. The first is the network and the second are the servers. Having played in well over a hundred CTF’s I can tell you that network latency is a huge issue which typically rears it’s ugly head as an incredibly slow network. The network speed will play a big part in how fast your scans will finish when doing your typical reconnaissance. Not to mention if some dingo starts deauthing the wireless. Several months ago I played a CTF where just doing nmap scans took several hours to complete due to network congestion. This makes total sense when you’ve got 100+ people bombarding a gigabit switch just by scanning. The server hardware also plays a huge role in all this. Depending on how many players and the specs on the server box it’s easy to overload the server and start bringing down services and applications.

Because of this the SkyDogCon CTF is provided as a vulnerable virtual machine that you run on your own laptop using either VMWare or VirtualBox. This resolves any potential network issues not to mention server performance issues that typical CTF’s face. You also don’t have to worry about being on a hostile network, as your completely isolated. 

The second issue is man power. I’m a one man show so I would much rather be spending my time helping players find flags and hopefully learning new things by giving hints instead of just trying to keep the network and servers up and running the entire time.


Let’s talk about flags and scoring. Some CTF’s don’t show you exactly how many flags there are. I find this annoying so I make sure that players know exactly how many flags there are in total. I also hate wasting my time when trying to submit flags that have no consistency.  Where maybe the first flag is a string like “Howard” and the second is hex or something. Searching and finding flags is the fun part. Submitting them is not, so all the flags in the SkyDog Con CTF are in the form of flag{0800fc577294c34e0b28ad2839435945}, where the actual flag is always an MD5 hash. I did this so that when you find a flag there is no guessing, you know that’s the flag. This also makes submitting flags a lot easier since each one is a hash. 

I could go on but those are the main points. I’d also like to say that this is in no way a jab at any other CTF’s out there. Creating one of these things from scratch is freaking tough and I have great respect for anyone who even tries let alone pulls it off. Hope this gets you interested in this year's SkyDogCon CTF & gives prepares you to come out and give it a try!
Read more »

Thursday, September 29, 2016

@SkyDogCon @DerbyCon 2016!

DERBYCON 2016 IN PICTURES least in the semi-appropriate ones we can share...


We had shirts, stickers, buttons, & a running mate!

@IronGeek prepares an epic surprise even we weren't ready for!


As always we're amazed how long people will wait in line to get one of these! We love making them!


Hak5's Shannon Morse (@Snubs) w/ Jayson...being creepy! Even "Boss Bitch" got a new ID!


Meet "Oppressy" the clown!  I almost need to apologize for posting these...but man did he go all out!

Added per IronGeek's request! via @cl64rk

Added per IronGeek's request! via @primestick

Added per IronGeek's request! via @StaceyBanks & @HackHunger


We socially engineered free beer from the machine!

Curtis punished Evan for years of #ICING...a truce was negotiated.


Jack Daniel was everywhere & got an updated employee badge!

Yeah...these guys are, aren't related! Holy cow at the tweets though!

James cuddling an inanimate object of affection...


We all put on clown noses and showed Dave our support! #Dave4President

We gave Dave Kennedy a reciprocal "black badge" to SkyDogCon (complete w/ clowns)!

DerbyCon staff photo (a few of us are in there)

Read more »

Wednesday, September 28, 2016

Electronic Badge Update!

What is it?

A surprise.  No, really... you'll be surprised...

The attendee badges are red this year but the badge you want to earn of course is the black badge.

Not only do you get free access to the con for life but it's also gold plated in all the right places.

There's a sweet little OLED screen which you've seen before in 2013, the joystick that nearly killed me and a few other odds and ends.

Those are three single-colour LEDs.  Knowing how much we like the bling and blinkies should give you a clue that we sacrificed the blinding LEDs for something else more interesting.  Dare I say, more practical?  Certainly more fun.

What's on the left of the badge?

What we sacrificed the blinkies for.  Worth it.

So, you going to be building badges at the con again this year?

For those not familiar with 2013, we built a badge.  An awesome badge.  A badge that we were deliriously happy with only to get delivered by our fabricator half-baked.  Quite literally half-baked; they hadn't baked the boards long enough so components were falling off boards.

Many heroic volunteers that year put in massive hours to get badges to attendees.

This year I'm building the badges by hand because I have trust issues.  Really, I built a robot to build most of the badge but I'm still having to do some of the assembly by hand like attaching the OLED display, SecretIC, joystick and battery pack.  This badge is assembled with lurve.

I intend to relax during the con.

If I want to hack the badge, what should I bring?

Yourself and maybe some AA batteries.  You're probably not going to want to hack the hardware this year for reasons that will be apparent later.

Okay, so software?  What processor / language are you going to use?

Processor doesn't matter language doesn't matter.  What is language but syntax?

You can program the badge in any language.  Fluent in APL? cool... perl? awesome... python, ruby, C, C++, erlang, elixir, Cobol (or its modern day version, java).

Bring your language and a host to show me it working on and I'll help you to get it to run on the badge.

We do however ask for advance notice if you do choose APL and bring an IBM 360/50 to run your APL code.

Write in whatever language you're comfortable in or learn a new one for kicks... maybe this is the fun excuse you needed to learn LISP?

... and that's the point.

We wanted to see a badge that people could have fun with and was accessible to anyone without being forced to crash-learn a new embedded processor, language and its idiosyncrasies.

Speaking of accessible, rock it out and we'll get your code running on all the badges...

After all, this is meant to be fun right?


Read more »

Thursday, September 15, 2016

Critical #SDC6 Dates!

In case you've been living in a cave, the dates for #SDC6 are set for October 21-23, 2016, at the Embassy Suites - Nashville South Cool Springs.  If you needed this post to tell you that...ITS ON THE FREAKING HEADER OF THE WEBSITE YOU IDIOT!

Moving on...


If you don't have your tickets yet, we're doing something new this year by pre-ordering your shirt to guarantee you get your size when checking in at registration!  There is a closing date for this to allow delivery before the CON.

If you want to be guaranteed a shirt in your size, the ticket option will close September 30th, 2016! 



The hotel block rate closes September 30th, 2016!  Its already pretty tight and we're working with hotel to allocate the block based on demand.  That said...


We're actively updating Facebook, Twitter, and the website with information so continue to monitor for updates!  See you at SkyDogCon!

Read more »

Wednesday, September 14, 2016

"The Con" vs "A Conference"

Profession vs. Passion

While driving back from @BSidesAugusta this weekend, an interesting conversation was sparked about the difference between a "CON" and a conference.  We're often are asked "what is SkyDogCon and what makes it different?"  Though that question seems easy to answer, it really depends on the person who's asking as to whether or not they'll understand the answer!

So, some of you reading this know exactly what I'm getting at, while most of you are likely scratching your heads!  If you fall into the latter category, give this post by @thegrugq a read which may just add some context for you.  So, back to that "interesting conversation" I mentioned...

We came up with several ideas, definitions, and generalizations though the one that seemed to get at the spirit of the difference the most (at least to me) was a contrast of "Profession vs. Passion" as it relates to attendee's motivation for coming. It's not a small distinction and not one we take lightly when planning each year's event.  The question you should start with is, "would I go even if work didn't pay or assist with the cost of going?"

Focus on the Profession

Lets make a quick clarification, there is nothing wrong with professional conferences. One of the most amazing things about Security BSides events is they make quality security education accessible to professionals who otherwise may not have the opportunity to attend larger industry events.  That said, the demand for inexpensive "professional education" isn't really contributing to a more engaged and competent security workforce either!  It may feed the CPE monster, but sitting in lecture-style back-to-back talks for hours over a weekend isn't most people's idea of fun!

In the article referenced above by @thegrugq, he faults among other things cat memes, "infosec rockstars", and general business economics for limiting the quality of content available to smaller conferences. He's not all wrong! I have witnessed many a presentation where the speaker clearly spent more time finding memes and developing one-liners than developing their topic. Meanwhile, for every 8 presentations you attend, maybe 1 will resonate or improve you as a professional.

Focus on the Passion

If you're not getting it yet, maybe go watch the DEFCON Documentary and see if you catch on to the difference. Some may call it culture or community or passion and they're all correct! The difference between a "CON" and a "conference" is the context, the purpose. For those who have gone to CONs like DEFCON or CarolinaCon or Outerz0ne and others for years, education was a byproduct fueled by passion for learning and participating in community. A CON is for the enthusiast not just the professional!

I'd compare it as @thegrugq does to a "comic con" that many go to not because work pays them or provides for them to go. People go because its fun! It's their passion, hobby, creative outlet, or any combination of reasons that motivate them to participate regardless of who's paying.

So what's the difference?

SkyDog made the CON to be "all the things he loves about a CON and none of the things he hates" or so he tells us.  So, it is true we often have amazing talks and presenters. Even still, one of the things we love most about SkyDogCon...the community! Hanging out with our friends we rarely get to see, often since DEFCON or the last SkyDogCon. Hearing a presentation on someone's passion project which may not get a slot at an industry conference but is of value, interest, and an audience (if for no other reason than one of our own is excited to share).   We value the opportunity to have an open dialogue (many times in the middle of a presentation) and share experience from both professional and personal perspective.

Ultimately, the "CON" is a gathering of a community focused on interest not a profession and is accessible to anyone interested in learning, participating,  and contributing. It may not look or feel "professional" because it inherently isn't and yet, I postulate, is even more critical to the development of knowledge and education than any "conference" or professional organization.  The "CON" differentiates itself in cultivating a passion above attendance, relationships over colleagues, and contribution over notoriety.  This is the hacker culture we seek to embody in SkyDogCon!
Read more »