DefCon 32 CTF Guidelines v0.4B

Overview:

  • This year (2024) Car Hacking Village (CHV) is in-person.

  • Prizes will be awarded at 1 pm PST on August 11, 2024 (CHV) inside the Las Vegas Convention Center.

  • Register in person or at chv-ctf.ctfd.io.

Eligibility:

  • No persons or employees of companies who are currently sponsoring can score on flags created by that company's employees.

  • Each Team shall nominate a Team Leader.

  • The Team Leader must be 18 years or older.

  • Only the Team Leader is required to be physically present at the CHV any additional participants may be located anywhere in the world.

  • Team Leads must give REAL names, email, and phone numbers to collect prizes.  See our privacy statement below for more information.

  • The Team Leaders of the winning Teams are responsible for all Taxes of the prizes

    • Prizes:

      • 1st place: A Car!
        2nd place: NXP Development Kits

CTF Tables and Seats in CHV:

  • Tables are open to anyone wishing to play in the CTF.

  • Must be registered on chv-ctf.ctfd.io or part of a team competing in the CTF to use the area designated as CTF.

  • Please do not save seats, those who are keeping seats open for long periods of time will be asked to vacate the table area.

CTF Contacts:

  • Uberwoozle (Lead)

  • JustinJustin (Lead)

Teams:

  • A “Team” is defined as a collaborative group of no more than 20 individuals competing under a single team name.

  • Teams must designate a Team Leader.

  • Only the Team Leader is eligible to win prizes.

  • A Team is not allowed to give themselves or another team an unfair advantage. If deemed in violation of these rules, potentially the violating team will see a deduction in points or disqualification from the CHV CTF.

  • All Team Leaders will be required to be present after DefCon closing to win prize

  • Individuals on one team may not share answers with those on another Team; any team found doing this will be deducted points equal to or greater than the value of the answer(s) shared.

  • Individuals may only be a member of ONE Team.

  • If caught switching teams, the team may be penalized or potentially disqualified.

Flags (Points):

Flags are awarded upon successful completion of individual challenges. Each challenge will be accessible via chv-ctf.ctfd.io. After successfully logging into the CTF website, teams will be presented with the list of categories and associated challenges. Each challenge will be identified with a point value.  Teams should click on the point value to view the challenge.  The challenge will have a question, an answer box, and a value.  Teams should work to solve the question and put the answer to the challenge in the answer box.  After hitting submit, the team will be notified if the flag was accepted.  If yes, the team will be awarded points equivalent to the value of the challenge as stated in the main landing screen.  If the response was incorrect, then no points will be awarded nor will any points be deducted. There is no penalty for wrong answers.

The CTF is open to everyone, including those who may have assisted with developing or designing challenges.  This is done because many people who assist are also interested in competing.  However, this poses a challenge as they would know the answers to their own challenges. For this reason, people who submit challenges to the CTF are not allowed to score points on their own challenges.

Hardware Contention:

Due to the nature of this CTF, Hardware Contention will likely become an issue. To help mitigate this, we propose a hardware signup sheet.  The top teams leading up to the main CTF at DefCon will be given an extra 10 minutes of time on hardware in the village.

Final Judgement:

Complaints must be formally requested by visiting the CTF table in the CHV and speaking with the CTF personnel.  Complaints deemed non-frivolous will be brought to Trial. Teams who requrest a trial must have at least 100 points in the CTF.

Rules for Trials:

There are issues that will arise from hardware contention, to points valuation, to unforeseen challenges with the CTF infrastructure.  In the event that these issues arise and there is no rule that adequately describes the resolution of the problem, a 3 judge panel will be convened.  The judges will hear the case brought forth by the complainant.  The judges will be two members of the CHV CTF or members who have no stake in the outcome of the CHV plus one random member of the audience that has no affiliation with the complainant’s team members, the CHV or the CHV CTF or the DEFCON Organization.  If another CTF team is involved with the dispute, then they may also add a random member of the audience that has no affiliation with the complainant’s team members to make four judges, In the event of a tie of the judges decision, teams leads must complete an additional CTF challenge and the team that completes the highest value challenge in 30 minutes will have a tie-braker vote in the argument. A simple majority of votes wins the argument.

In order to prevent multiple complaints, a lost complaint will result in a 100 point deduction from team scores.  If teams do not yet have 100 points then they must earn 100 points in order to file a complaint.

Denial of Service:

As we are sharing hardware and only have limited supply, physically disabling hardware is discouraged. So discouraged that the outcome of this transgression could lead to disqualification of your team or a deduction in your team's flags.  Please let others use the hardware.

Coercion:

Coercion is bad, do not force others to do anything that they do not want to do. Including forcing others to give your team answered challenges, forcing others to participate in challenges, and generally being mean and rude. Teams found to be coercing other participants will have points (up to 2000 points) deducted from the score.

Unauthorized or After-Hours Use of CHV Hardware:

The CHV is open from 10:00 to AM 5:30 PM August 9 & 10 and 10:00 AM to 12:00 PM August 11. Use of CHV supplied challenge hardware is off limits to teams. Any team caught violating this may be penalized up to 2000 points or disqualification of this CHV CTF and future CHV CTFs. Please attempt to stop using tools Promptly at the close of the village so as not to give your team an unfair advantage.

NO PURCHASE NECESSARY

For the Stuff We Didn’t Think Of:

It’s likely not possible that we can think of all the ways in which teams can gain an obvious unfair advantage.  If evidence is brought to the CTF Admin’s attention that a team is attempting to game the system in a way that is obviously unfair then this team should be discouraged.  First infractions will result in the team being penalized by the CTF Admin.  This penalization may include a deduction in points (up to 2000 points) or potential disqualification from the current and future CHV CTFs. Please do not create a situation where other teams do not want to compete.

Prizes:

  • 1st place: A Car!

  • 2nd place: NXP Development Kits

How to Win Grand Prize:

The top scoring team will be awarded the Grand Prize (1st prize), followed by the second team winning 2nd prize and the third team winning 3rd prize. Must be present to accept the prize. If not available by 1:30 PM PST then the team forfeits and the next place team will move up and take that team’s rank and thus their prize.

Taxes or Alternative Prize:

Prize winners MUST PAY ALL TAXES and FEES or choose a cash substitute for their Prize. Here is an estimated Tax Schedule:

  • 1st: To Be Announced

  • 2nd: To Be Announced

As an alternative to taxes, each prize can be exchanged for a Cash Prize. A 1099 will be required for this option:

  • 1st: To Be Announced

  • 2nd: To Be Announced

Tie Breaker:

In the event of a Tie, the team who scored first will be awarded the higher rank. In the event that this is too close to call, the team who scored the highest value flag first will be given the higher rank. And if still it is too close to call, then a game of best of 3 Rock, Paper, Scissors.

Black Badge:

If selected as a Black Badge competition by DefCon, the team with the highest points at the close of the standard time CHV CTF (12:00 PM PST August 11, 2023) will be awarded Black Badge winner.

Extra Stuff:

CTF’s are hard to put together, mistakes will be made.  We will do our best to solve these issues in a quick and timely manner.  However if you do find an issue with a challenge, the web server, or any other infrastructure of the CTF, please bring this issue to the CHV staff. CTF Staff will be at the table marked CTF Staff in the CHV. Please Contact Uberwoozle or JustinJustin for assistance.

Privacy Statement:

We will only use your email to contact you during the CTF or after the CTF has closed to verify if you are among the finalists. After DefCon we will not contact you, but may maintain your contact details.

Feel free to use a burner email account or fake contact details, but we will only notify the finalists via the email address you’ve given.  If no one responds within 15 minutes of the request being sent out at the email address given by the team then we will notify the next ranked team and disqualify the non-responsive team. In other words, please don’t use an email address that you don’t have access to and you cannot respond to emails on.

This privacy policy has been compiled to better serve those who are concerned with how their ‘Personally Identifiable Information’ (PII) is being used online. PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.

What personal information do we collect from the people that visit our blog, website or app?

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, mailing address, phone number, or other details to help you with your experience.

When do we collect information?

We collect information from you when you register on our site, fill out a form, Open a Support Ticket or enter information on our site.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

      • To allow us to better service you in responding to your customer service requests.

      • To administer a contest, promotion, survey or other site feature.

      • To quickly process your transactions.

      • To follow up with them after correspondence (live chat, email or phone inquiries)

How do we protect your information?

We do not use vulnerability scanning and/or scanning to PCI standards.

We only provide articles and information. We never ask for credit card numbers.

We do not use Malware Scanning.

Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.

We implement a variety of security measures when a user places an order, enters, submits, or accesses their information to maintain the safety of your personal information.

All transactions are processed through a gateway provider and are not stored or processed on our servers.

Do we use ‘cookies’?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the site’s or service provider’s systems to recognize your browser and capture and remember certain information. For instance, we use cookies to help us remember and process the items in your shopping cart. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

We use cookies to:

      • Help remember and process the items in the shopping cart.

      • Understand and save user’s preferences for future visits.

      • Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.

If you turn cookies off, some features will be disabled. It won’t affect the user’s experience that make your site experience more efficient and may not function properly.

However, you will still be able to place orders.

Third-party disclosure

We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information.

Third-party links

We do not include or offer third-party products or services on our website.

California Online Privacy Protection Act

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require any person or company in the United States (and conceivably the world) that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared. – See more at: http://consumercal.org/california-online-privacy-protection-act-caloppa/#sthash.0FdRbT51.dpuf

According to CalOPPA, we agree to the following:

Users can visit our site anonymously.

Once this privacy policy is created, we will add a link to it on our home page or as a minimum, on the first significant page after entering our website.

Our Privacy Policy link includes the word ‘Privacy’ and can easily be found on the page specified above.

You will be notified of any Privacy Policy changes:

      • On our Privacy Policy Page

Can change your personal information:

      • By logging in to your account

How does our site handle Do Not Track signals?

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

Does our site allow third-party behavioral tracking?

It’s also important to note that we do not allow third-party behavioral tracking

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under the age of 13 years old, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States’ consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

We do not specifically market to children under the age of 13 years old.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:

We will notify you via email within 20 business days.

We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.

CAN SPAM Act

The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.

We collect your email address in order to:

      • Send information, respond to inquiries, and/or other requests or questions

To be in accordance with CANSPAM, we agree to the following:

      • Do not use false or misleading subjects or email addresses.

      • Identify the message as an advertisement in some reasonable way.

      • Include the physical address of our business or site headquarters.

      • Monitor third-party email marketing services for compliance, if one is used.

      • Honor opt-out/unsubscribe requests quickly.

• Allow users to unsubscribe by using the link at the bottom of each email.

Thank you:

A sincere thank you to the DefCon organizers, the villagers and our sponosor. We absolutely enjoy hosting this event every year.