1) All teams must bring their own attack toolkits and systems.
We will be providing a bootable PHLAK or KNOPPIX-STD disk for all participants who need a toolkit. We will also provide Cat5 from the score server to the team's table, as well as a power cable to run to each table. You will need to bring a laptop or desktop machine with a wired and wireless access card (the wireless is optional but encouraged,) Power cables and a surge protector, Cat5 cables for connecting with your team, Hubs or Switches, and a Router/Premise Router/Firewall (optional as well.)
If you haven't figured it out already...anything on our networks is subject to attack, so you might want to lock up your box.
2) All forms of electronic attack are allowed except for Denial of Service. Denial of service attacks are truly annoying and expressly forbidden, and if detected, will negatively impact a team's score. Bandwidth hogs will be penalized...as discussed below.
3) Each team has to gain root on the target systems and hold them as long as possible during the competition to score points. The scoring system is round-based, thus you must keep your flag until the end of a round to score points. Bandwidth usage is penalized, but there are ways around this (hint, hint.)
4) Teams can choose to secure the target hosts they gain access to, but will be responsible for keeping their hacked target up and running without interruption. Any interruption in services will alert the BOFH's running the systems, and will cause the system to be "fixed" and the team's flag removed. There are ways around this, attackers are expected to "game" the system through novel approaches such as asking the systems administrator (through social engineering,) to reboot the server or interrupt the normal operation of the server for necessary maintenance. (No physical coercion will be tolerated, but social engineering is accepted and encouraged...)
5) Keys will be provided to each team, and the key ID is the name of the flag file that should be planted in the root directory of the target machine to get credit for owning it while deleting all other key files. In the event of more than one flag per server, the first flag planted will get the points until it is deleted.
6) At any time, there may be scheduled "bonus rounds" and "penalty rounds" for gaining bonus points or losing points, depending on specific scenarios. Each will be announced at least thirty minutes prior. We haven't done this yet, but we may be itching to do it this year.
7) The highest total score will determine the winner at the end of the competition (minus penalties and plus bonuses, which may not appear on the scoreboard.) The scoreboard will provide a summary of how each team is doing, but may not be a reflection of the final results. Results will be announced at the closing session of the conference, and not before that time. Prizes will be awarded to the winners at that time. Winners will also be announced on our website at openinfreno.sf.net after the con, along with the raw point totals and bonuses/penalties for everyone to see. The Judges will make the final determination on the winner and that determination is final (no grievances will be allowed.)
8) The Judges can and will modify the behavior of the target hosts at random intervals during the competition, and are allowed to probe, analyze, and test the network and all systems attached to it, so plug in at your own risk. Hosts which are down for any too long may be rebooted/reimaged by the Judges (as stated above.) The Judges are not responsible for any systems connected to the contest network and contestant systems may be subject to remote or local attacks by the Judges and other teams. Again, the Judges are allowed to screw with you, just like administrators in the real world.
9) Social engineering is allowed and encouraged, however teams shall not be allowed physical access to either target hosts or scoring systems (except where announced ahead of time, as a kiosk machine may be made available for users.) No physical coercion will be tolerated again teams, judges, or bystanders. Either will be grounds for disqualification and a permanent ban from participating in the future, as well as potential removal from the con.
10) Judges rulings are final. There will be no whining! No one cares in the real world, so why should we allow it here. Each team shall assign a Team Captain to work with the Judges and the other Team Captains to resolve disputes.
11) The source code for OpenInfreno, which this game runs on top of, is Open Source, and can be obtained from http://openinfreno.sf.net.
Any contestant is welcome to download the source code in its entirety and examine it for flaws. We believe the Open Source model makes for better programming, and will happily accept any flaws you may discover (we know they are in there...), provided you give us a complete bug report with specifics on the flaw, potential attack against the flaw, how to reproduce the flaw, and potential fixes for the flaw. We ask that you do not attack our game software during the con. However, to make it easy for us and to reward yourself, we offer a bounty of 50 extra points (to the team) for the submission of any flaw in our system which would result in access to the target machine through our code, as well as any flaw in our system which would result in access to the server machines (from either the target network or the attacker network) through our code. Denial of Service attacks, or theoretical attacks which would not yield access to the above machines are appreciated, but will not be rewarded during the game. The flaws must be written up in the form of an acceptible bugtraq vulnerability report (with a discussion of the bug, steps to reproduce its affect, and if you know of any way of fixing the code, we'd like that too,) and must be provided to the game administrators during the game in order to count for the reward (though bug submissions can be made at any time, with the reward being our thanks and mention within the source.) Bug reports submitted by teams will be counted at the end of the contest, and will be published on our website along with a projected fix time and other comments from the OpenInfreno development team.
Plug into the contest network at your own risk to the hardware, software, and data on/off your computer. The contest organizers and Judges are not liable for any activity which would target any systems not provided by our staff or available for this contest. Teams enter this contest at their own risk; Judges are not responsible for any loss to social standing, embarrassment, or shame teams bring to themselves as a result of their standing or activity in this contest.
The standard disclaimers apply here. Obviously anyone who is involved on the Team is prohibited from competing as a participant. This is only fair, as the participant may have inside knowledge which other participants do not have. This includes any current team members, and any team member who has been on the development or execution teams for anytime after 1 year before the contest.
For the sake of keeping the game enjoyable for all participants, other barred participants are as follows: