Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120722132541.GA20202@openwall.com>
Date: Sun, 22 Jul 2012 17:25:41 +0400
From: Solar Designer <solar@...nwall.com>
To: defcon-2012-contest@...elogic.com
Cc: john-users@...ts.openwall.com
Subject: Crack Me If You Can 2012

Hi,

So the new contest is announced, and indeed team john-users wants to
participate.  We have a few questions on the new rules:

http://contest-2012.korelogic.com/intro.html

"Each solved challenge is worth a big chunk of points, and there are
also sub-prizes for solving challenges. However, teams are limited as to
how many challenges they can win (see below), so big teams cannot sweep
all the challenges."

Besides points for solving a challenge per se, will solving a challenge
also provide other ways to increase the team's total points - e.g., by
providing extra hashes to crack, like it was in last year's contest?
In other words, if a team knows they can't get any more points for
winning additional challenges, does it still make sense for the team to
spend time on the remaining challenges?

"Simple, right?" - not quite, and potentially subject to interpretation
differences.  Examples are desirable.

"* You MUST NOT attempt to interfere with the efforts of another team.
* You MUST NOT attempt to steal passwords from or techniques/methods
used by another team."

Does misinforming another team (or a member thereof) of our team's
progress, what techniques turned out to be (in)effective, etc. count as
"interferring" with their efforts or not?  In other words, is this
permitted?

Similarly, does making use of such deliberately provided or publicly
available information from another team count as "stealing" or not?
In other words, is this permitted?

To give an example: if we post 1000 cracked passwords to the john-users
list, may another team use them and not be disqualified for "stealing"
from us?  Or are they from that point forced not to crack those same
1000 passwords (as if we "patented" them or something)? ;-)  The latter
would be ridiculous, of course.

These two are not new rules (IIRC, they existed last year as well), yet
I felt a clarification would not hurt.

"You MUST NOT switch teams during the contest--we will assume you stole
all the cracks from the team you left, or the team you join."

Now this is a new restriction, and one that definitely needs to be
clarified.  It is extremely ambiguous as written.  What was the intent
here?  Can you name specific examples from past contests (not
necessarily limited to past CMIYK) that would violate this rule?
And examples that would not violate it?

It is somewhat common for a person to submit their own results and also
feed their cracks to a team's pool.  Usually this did not affect the top
3 places (e.g., team john-users in CMIYK 2010 and 2011 accepted cracks
from bartavelle and 16Crack, who also submitted their results separately -
but they were not in top 3 personally).  However, a recent exception to
this is the Hash Runner contest at PHDays 2012, where Xanadrel took
third place while also feeding his results to team Teardrop (Hashcat).
Is this now against the rules?  In all cases or only when the person
ends up in top 3 (thus, their scores would not count then and the 4th
entry, etc. would be the 3rd place winner then)?  What about the case
when this is done between two teams (a smaller team submits their
results separately, but also contributes to a larger team's pool)?

What about team mergers during contest - e.g., if teams currently ranked
4 and 5 decide to merge and hopefully take 3rd place, moving the team
currently ranked 3rd down to the 4th place?  Is this permitted?  (Of
course, assuming that the teams choose which one will be the merged team
and submit both teams' cracks under that team before the contest ends.)

"we will assume you stole all the cracks from the team you left, or the
team you join" - and what do you do in that case?  Also, does it matter
how you resolve the "or" (which team the person or sub-team stole cracks
from)?  Does some team get disqualified as a result (which one? or both?)
or do you adjust their score somehow (how? I see no fair way considering
that cracks by different people/teams usually mostly overlap).

My suggestion is that mergers be allowed, but only the highest-scoring
of the merged teams be eligible for a numbered place and the
corresponding prize.  Ditto for people posting their personal results
and also being on a team: they would not be eligible for a prize
personally then.  Of course, this assumes that teams/people disclose
such information (or it is inferred by other means).  As far as I'm
aware, so far no one attempted to hide it, and the teams tend to play
fair.  So I think this is OK.

Would this work, or does it not address some other need for this new
restriction?  Anyhow, the rule needs to be clarified and examples need
to be provided.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.