Final Scores

Team Score
Plaid Parliament of Pwning 11263
HITCON 7833
Dragon Sector 4421
Reckless Abandon 4020
blue-lotus 3233
(Mostly) Men in Black Hats 2594
raon_ASRT 2281
StratumAuhuur 1529
[CBA]9447 1519
KAIST GoN 1334
Routards 1262
More Smoked Leet Chicken 1248
Binja 1153
CodeRed 997
w3stormz 987
[SEWorks]penthackon 979
BalalaikaCr3w 937
Gallopsled 921
shellphish 899
HackingForChiMac 546

Finals

DEF CON 22, Rio Hotel & Casino, Las Vegas, USA

Conference Aug. 7-10 2014

Capture the Flag Aug. 8-10 2014

Thanks

2014 was our second year running DEF CON Capture the Flag, and we're still in shock at how well things went for our players and spectators. Here are our final thoughts about this year's game.

Scoring

This year's scoring mostly worked as documented: each team's instance of a service started with 417 flags, flags remained with the service even as they moved through teams, and teams could in theory come back from their flags on a service zeroing out.

On Friday, we found a bug that caused round-end flag distribution to be run once for each enabled service in a given round, instead of once in a given round. We fixed this Friday afternoon, and re-ran the scoring algorithm over the entire game Saturday. Additionally, we were able to re-run scoring when teams lost SLA checks due to hardware failures on our end.

The Badge

DEF CON 22 CTF badge

The DEF CON 22 CTF badge ran two openMSP430 cores, one for the radio, and one for the vulnerable "badger" service. The PCB was fabricated in the USA by OSHPark. The badges were hand assembled at our secret lab by Jymbolia, Duchess, Gyno, and Sirgoon. The team badge and server software was written by Sirgoon and the VIP badge software was written by grumpybear, using Adafruit LCD graphics libraries.

We would like to apologize to the two-year champions, PPP. An off-by-one error in our badger backend code made it impossible for team id 0 (PPP) to score correctly. They had a working exploit before the end of day 2, but were unable to score any points because of this.

Visualizations

The biggest draw to our room this year was the attack visualization by Hoju and Lightning, which ran Saturday and Sunday.

Each box represents a team, and their physical position within the room. The projectiles represent successful attacks from the launching team against the exploding team. On Saturday morning, the colors of the line indicated which service they were for. However, we found out that at least one team dedicated a player to watching this display as part of a forbidden defensive strategy, and Saturday afternoon and evening, we switched the colors to be random.

On Sunday, we replayed the Friday and Saturday event streams with per-service colors.

Video Content

Historically much of the CTF video content that's been played at DEF CON was extremely sexualized, and would get an R or NC-17 rating in theaters. With the DEF CON audience diversifying, maturing, and simultaneously getting younger, this material is leading to awkwardness, discomfort, embarrassment, offense, and rightful public criticism.

We're not sure what the solution will be: more family-friendly music videos that keep with the DEF CON CTF aesthetic, fewer music videos, more visualizations, or (almost certainly) a combination of these.

Know that it is a problem with many of us at Legitimate Business Syndicate, and we hope we'll do better next year.

Open-Source Releases

We're planning on open-sourcing most of the vulnerable services from both our qualifiers and final games this year, as well as the registration and scoring systems for both. We hope to have these out in September.

Looking Forward

We're taking the next several months to relax and plan for 2015. If you're interested in Capture the Flag, check out CTF Time for information about other games that'll help you practice and prepare. Keep an eye on the Legitimate Business Syndicate blog and Legitimate Business Syndicate on Twitter for more DEF CON CTF news.

See you in 2015!