 My name is Iris, we are TC949, and this is OCTF, five years and 50 minutes. You're on the right place, guys. It's like gym class. And five years ago, we invented and implemented a little game called, well, originally it was called Amateur Capture the Flag, and then it became Open Capture the Flag. And I guess we'll just have everybody stand up instead of names or, you know, so we know who we're talking to. Adrian Adam. CP. Jeff Ball. Frank Tu. Aprilette. Ah, history. So, five years ago, me and this guy over here, the redhead, Adam, we walk around DEF CON. This is many moons ago. DEF CON was at the Alexis Park. And there wasn't a whole, right now there's many DEF CON contests. There's Mystery Box, there's contests and badges and ninja party stuff you can take apart. And everybody else who has a party has a badge and takes stuff apart. And there's karaoke and there's more contests than I can possibly even remember. But it wasn't always that way. There was only maybe three or four contests originally. So there wasn't a whole lot of structured activities for attendees to do. I mean, you know, you could walk around and you could, you know, get on the most hostile network on Earth and play around, which is cool, but like that was it. You know, you could talk, which is not bad. But obviously, the cornerstone contest of, you know, DEF CON forever is CTF. And CTF is really cool, but it suffers from one real nail, which is not everybody can play, right? I mean, CTF is awesome. Everybody would love to bash their brains up against some of the smartest guys out there on the net. But, you know, resources are limited. Not everybody can play their game. So over half intoxicated banter one day, me and Adam had a conversation and I kind of tossed the idea. I was like, yo, what if we made a game that was like CTF, but everybody could play? And he kind of looked at me and said, well, that's really cool. There's nothing about doing that. You want to do that? And I was like, no, we should go find somebody to do it. So we spent a year looking for somebody else to host this contest that would be fun for us to play. It would be like CTF, but everybody could play in this giant room and, you know, it would all have crazy hacker good times. And nobody wanted to do it. Everybody said, oh, that sounds like a good idea. You should do it. So our grandmaster plan was to apply for, you know, talk to the goons and be like, hey, we'll run this contest and try to run this contest. And then we screwed up so badly that people would approach us and say, this is a really good idea, but you guys suck at it. And we'd be like, oh, please, please, because we had so little faith in our own abilities. So we, you know, muscled up some moxie and had our one little computer with no paint on it. And like, I think it was like an aluminum or iron case or something heavy as hell. We tried to host it over Wi-Fi the first year. That was really smart. And we set out to host this contest. And it had a million problems and was hardly ever up and had all kinds of... The finger of God was like flicking us off that day. It was not friendly. But the few people that came out to play had a lot of fun. And at the close of the contest, people walked up to us and said, wow, that was really cool. You guys had some serious problems. You should fix it. Oh, that's not the response I wanted. But that's what we got. So, yeah, it started really fledgling. And then a few years later, we were still doing it. And by the time we ended, what we thought would be very simple, originally amateur-esque services, games turned into just these monster, monster challenges that would literally take years to create. I mean, by OCTF 3, which is I think where we changed the name from amateur to open, the reason we changed the name is because other people would walk up to us and say, why do you guys call this amateur? This is not easy. I mean, not that I would claim to be some super legat-style programmer. But I mean, it was unique enough to where somebody else felt that we needed to change the name. So we did. So I guess the rest of the panel is over the years we've gotten a whole lot of really nasty complaints of stuff we did to people's computer. So I figure we'll just stand up and... Or we'll sit. Yeah, you guys want to sit. Make me stand. I see how it is. And just go over, I guess, some of the milestone services, some of the ones that were really popular, the ones that people remember. And then at any real time, if anybody's got anything they wanted to know or questions they've had over the years or is really upset about me blowing up their computer in year three, it's a panel. So feel free to get involved. Thank you. Thanks for interrupting. Stage Ninja. Stage Ninja. Yeah, just, you know, feel free to shoot your hands up there and just get involved. Just real quick, guys. Anyone in here actually play in Open CTF for the last five years? Oh, wow. So I was expecting no one, so my next anecdote's not going to work. So yeah, we're going to cover some services. And then kind of towards the end there, I think we're going to have a lot of time left, ask questions, maybe services you would like to understand how we did the back end or what things we did and why we did them. And probably a lot about happy dance. Feel free to throw things at me. All right. One of the things that I liked running the contest was there was always a good range of services. So it didn't matter whether you were, you know, some guy off the street who, you know, didn't know a whole lot or whether you've been doing this for years and, you know, run your own pen test and company. You could come here, try and hack something and have fun. Some of the stuff that I did throughout the years have been crypto related and some of it was simple, you know, talented into this and it gives you an encoded text with some custom algorithm, anything from rotation to transposition, like all kinds of different stuff. And basically you had to solve that. And there weren't any hints. It was just, here's a cypher text, give me back the plain text. And one of the other challenges that we had was it had to get harder as the contest progressed. I mean, if people were just battling back and forth, you know, two people know how to solve it, they're just going to script it and then, you know, the server is going to get tossed. So what we had to do was we had to make the challenges get more difficult over time at, you know, a reasonable rate so that people would always be able to try and have fun. So the crypto was a whole lot of fun. We had some games like I did Hangman where basically you had to guess the, you know, it was Hangman. And there were some different, it was web-based, you could do some different injection attacks and stuff like that. Or you could just try and play Hangman and win. So, you know, however you want to attack it, by all means. What else did I do? One year we had a whole economy set up because one of the things we got from, I think it was year three, someone came up and was like, you know, I really like your contest, and it's a great challenge, but it's not really like, you know, real life. I mean, this crypto stuff is cool and all, but, you know, I'm not going to come out in the wild and say, oh, look, I'm telling you it is something. It's giving me a crypto thing. It's just not going to happen. And all the, you know, real crypto is, you know, actually secure, where you're not going to break it in a reasonable amount of time. So, like, I'm not going to give you that, and it's more or less impossible. And if you do break it, you know, you're not going to release it here at OCTF, so you're probably going to do something else with it. So, what we did was we set up an entire economy. We had a bank, we had an ice cream shop, we had an auction, and a whole bunch of stuff. And we had different flags, you know, hidden within, and, you know, basically all the websites you could hack or, you know, you could just try and manipulate the system to get what you want, more money, more credit, more stuff at the auction. We even auctioned off stuff like trash from the, you know, ice cream shop, which had hints on, you know, different things on how to score. What else do we have? I was like, and what's great about the economy is like the real economy, it kind of crashed and fell apart. That was before it. Yeah. What else did I do? Oh, a letter drop. That one? Yeah, that one. I did a really interesting crypto one where normally you substitute one letter for another. Well, with this one, it wasn't that at all. You just rearranged the letters and you got your plain text. And that one, did anyone get that one? I think someone got it, but it was like, everyone thought it was super hard and it's like, all you have to do is rearrange the letters, guys, it's an anagram. It's not that tough. It was like 12 characters. Come on. So it was really interesting to see, you know, you do things like that that you think, oh, this is going to get, you know, smashed in the first 10 minutes. And, you know, sit there for like three hours and people know it's there, people are trying. You walk around and people are trying things. You're like, okay, I don't know why they're trying that, but, you know, good luck. Anyways, it's been a lot of fun. I've learned a lot. Had good times with all the contestants. Pretty much know them all by name now. And we had a great run. And hopefully I'm going to go check out what the two boarders are doing over there after I get done talking. Who's next? So, well, I only recently joined the 949 crew and, you know, when they say that anybody can just come up and help them out, they're not lying about that. My first DEF CON was DEF CON 16. And I saw OCTF and I was like, this is really cool. And these are some cool guys. I'm going to go meet up with them. Then the very next year I was actually with OCTF and it was a whole lot of fun to work with them. So I only had one service, but it was a big, massive service. Are any of you guys familiar with the text game Zork? Okay, here's a few people. Good. So basically what mine was was Zork with a zero, you know, because hackers love numbers. And what it was was you were in the NIST facility to imprison hackers because, you know, you don't want to put them in a regular prison or crap eaten out of them or something like that. So you put them in a prison hosted by the NIST or MITRE or whoever you really want to call it. And the idea was there was some B-TARD guard who loved you and hackers because hackers are cool and he's just fucking retarded. So what he's going to do is he gives you some lock picks to help you break out of the prison. And what you're going to do is all the guards are out at DEF CON right now, because they love DEF CON too. And there's only that one B-TARD idiot there. He helps you break out of prison. And the entire idea is for you to not necessarily break out of prison entirely, but to go to the yard and deface the flag with your team name. So what this involved was basically, it was exactly like a text-based adventure. You would have to pick your way out of your cell, then navigate the text-based maze and try to figure out how to go from one level to the next. And every door had a lock of some kind that you had to perform some sort of binary manipulation on it. You had to find out how to perform an exploit on the door in some way or another. You had to get a key card and then a thumb drive so you could add an exploit onto your key card and then put it in the lock. The lock would run the exploit, and then you would get through the next level. Then there was a final door, which is basically kind of like a key gen in a way, where it was basically a challenge response where you would have to download the lock and reverse engineer and try to figure out the algorithm. So when it gave you a question, you would have to give it a response. So as the game progressed, it would get harder and harder and harder. The exploits would get a lot more difficult to perform or more difficult to figure out. Sometimes you would have to figure out where the address was going. What else was there? Yeah, and the key generator got more and more obfuscated with every time. And how many of you guys play pen and paper games like D20 games? If the DM told you explicitly to go somewhere and really, really, really told you to go somewhere, would you follow them? Why would you follow them? That's so gullible. So here's what happened. Before you get to the library, which has a lot of key components, the descriptions of the rooms tell you, hey, by the way, you might want to go to the locker room. There's a lot of interesting things in the locker room. I actually got compliments on the writing of it, at least. So I mean... Yeah, and that was basically how Zork went. And that was just a whole lot of fun to write. Who's next? So I think these guys kind of understate the wacky antics that contestants do during the game. That was seriously like 80% of the fun every year that we ran it. It was just seeing the hairball schemes people would pull in the middle of the game. Like Adam was over there talking about deaf economy and oh yeah, it was funny because it crashed. What was really funny is after a while when people couldn't figure out a way to beat it to modify money, they just get up, walk around the room, start walking up to people's laptops and if it was open to their banking website, they just go, change. And then people would argue with us about it cheating. Not my fault. Oh man, all kinds of crazy... We had a mistake one year where we in all classic fashion left the login to a box as root root. Which is embarrassing for multiple reasons. A, because well, you know, we left the boxes root, root. You know, dood-de-dee. Secondly, because nobody found it for like an hour. Which is just sad. And then when somebody did find it, they didn't patch the box up so somebody else took it from them. And then, you know, we finally figured out what we did and we reset the computer and, you know, had it all back. But they decided they would be crafty so when they gave us the box back since we didn't want to reset it, they left a nice little cron job that would look for every... We would look for the string that we tagged all of our flags with in every file on the computer and change it to their team name. The problem is their cron job didn't check to see which type of files it was modifying so at some point it started going through like libraries in the computer, you know, like G-Lib-C and just screwing crap up. But I'm scoring, the box just dies and it starts screaming at us, what did you do? It's not my fault, you're a bad admin. I didn't do it. Anyway, it's hard to just talk about my own service because my favorite services are stuff everybody else wrote because they're really cool. One of my fun little gems that I wrote was called Global Thermal Nuclear War. I hope at least one person in this room has seen war games and guessed the joke. Thank you. So Global Thermal Nuclear War was this webpage that you would go visit and there would be a little password field and there would be a button and the button would say, download Unlocker because that's not ominous at all. So you download this Unlocker and there was a binary in it and obviously it was full of horrible nasty acid venom things that were designed to do horrible things to your computer and I hoped people would run this in VM because at one level it did bad things. So what this binary was is it was a three-card Monty. You'd run it and you'd see three options and you could play chess, you could play Tic-Tac-Toe or you could play Global Thermal Nuclear War. If you played Tic-Tac-Toe I actually wrote a really crappy terminal version of Tic-Tac-Toe that you could play and win and eventually if you did win it would display a rock 13 coded message at the bottom of the screen that would mutate every three times that you ran it and if you decoded all of them and put them together in a giant string excuse me it would just tell you this is a red herring why are you looking here and a lot of people spend time on that I really don't know why they did it it's rock 13 it's not hard and some people actually decoded it and then thought there was something else in it instead of looking at it for hours the chess game was just literally a link to a Windows chess game that people downloaded and eventually people like rooted that site and did all kinds of horrible things to that company I don't even know who it was I just picked it at random it was the first link on Google when I looked at chess so sorry for them and if you hit Global Thermal Nuclear War it would show you another three options and those three options would say okay you're playing Global Thermal Nuclear War which set of cities would you like to attack first and I actually took the orders from the movies so Seattle was in there you could decide if you were going to be the Russians the Americans and you'd pick one and each of these was the game itself there were three options one option would echo the correct password to slash def null which is about as close as you were going to get to having it give you the answer and the other two options would initiate malware payload one of the malware payloads would overwrite the first 512 bytes of every device attached to your computer with a really nasty bootloader that would just say in giant ASCII art letters and like a giant middle finger the only winning move is not to play and if you modified that firmware then you got another firmware because it detects the threat that the binary is modified and it just said har har and you know kind of laughed at you and the other payload would restart your computer so you have this binary and you run it and if you're not s-tracing it it just exits if you get it right so what are you going to do? you're going to run it again so you were very very likely to try to run it against both horrible payloads and it would hurt your machine and I hoped people would run it in the VM and most people did and I know at least one kid didn't because it was this first def con and I had this conversation with this 16 year old kid who was crying in a corner because his box was nuked and he was like but I just formatted it because I thought it was screwed so I'm a horrible person and again with the wacky antics so the coolest thing about that service I think was how the guys who beat it ended up beating it we had two teams from Korea Van and D-Dep so the binary, the way that it was created the only obfuscation it is the key was really stupid series of times tables and rather than try to out binary foo people that were trying to reverse it I think I packed it too it did something stupid every time that you downloaded it it was dynamically compiled I actually had a web script that would look through the source code of the file, change the statically encoded key in the C source compile it just for you the key was totally random there wasn't a way to read the algorithm out of the binary because it didn't exist so the guys who ended up just really reaming the hell out of that service figured this out and they wrote a python interpreter to read and unpack the binary and suck the key out of memory when it would run and then dynamically score the game every minute which is just fucking awesome I asked them for the script they still haven't sent to me if you guys see this, I want that script it's pretty cool that was one of my favorites I'm going to do happy dance last guys because I'm probably going to get some stuff thrown at me awesome service quota that's the one I'm trying to think of which one was quota movie quotes so people who played last year yeah do you guys remember the one with the animated gifts yeah I love you too so this was kind of an interesting service and I always pride myself when writing open CTS services to just kind of go completely out the window with it and just go for something great this time around it was animated gifts from movies oh that's not a big deal right you go to web page you see an animated gift from a random scene of a random movie and there's a text box I don't remember what it said read my lips and that was it if you were able to insert the text dialogue of that scene in the movie you would score so let's say you see Neo watching Morpheus jump across the buildings and he's whoa if you were to respond with whoa you would score and literally what it was is I wrote a series of M player scripts and M encoder scripts that would take entire movie files convert them to raw because of the frame-seeking behavior so I filled out my terabyte drive in an hour but holy shit movies convert to raw then I would take these sub-tale SRT files which I had a Python script parse out all the time stamps from the Python file SRT file and then M encode those few seconds from each video so I ended up with something like 30,000 animated gifts so if anyone wants the entire movie like The Matrix or Gone with the Wind or Passion of the Christ in animated gift format I have that and it was pretty fun so there was this random Russian Alice in Wonderland animated cartoon and I heard about this and I couldn't find it anywhere and I searched and searched and searched the intertubes to find this thing because I figured this would be fantastic no one's ever going to find this and I finally find it in a hole in the wall forum and it was posted on RapidShare so I downloaded off RapidShare I checked it out it is bizarre it's just creepy and it's got subtitles so now that I have this file I proceeded to contact RapidShare to a copyright holder and had them take it down so maybe it existed somewhere else but probably not over the two days of DEF CON and Quota was a lot of fun I hope you had fun with that I guess one of the things you had to do to beat that would be to did anyone actually script a response or to just watch the movie and like pull out the subtitle I think he said this now no one actually scripted awesome I figured the best way to do it in a scripted fashion would be to do some sort of frame seeking behavior and look at the different frames of the GIF and then seek through the video file and look for the same files or same frames but I don't fucking know how to do that so Tosear which one was that OCR did anyone play two years ago when there was the custom alphabet written in div tags I don't know how to describe it better than that give me a break here so you go to a page and you see a word or a sentence and I think it got longer with time and it basically was a custom alphabet that I wrote wow in JavaScript with Ajax so I could draw on my screen and create an entire alphabet and then print it back to you it was basically an OCR challenge but the characters had different sizes backwards and quake logo for the Q a few other weird things but what's great about it was the best way to do this logic would be to look at the source code and figure out what the characters are and what the problem is the alphabets are drawn on the screen using floating div tags in a random order God bless you so this I suppose you could extrapolate the points and write something that would put it all together and figure it out but again I don't know how to do that so to even get to the source code if you tried to look at the source code it used a series of client side obfuscation techniques that I developed for a previous talk on hacking with firefox and using firefox as a scraping platform it had flash flash one time padding flash encryption which just hooked into the javascript no the hook function javascripts and that one was alright enjoy it do I have to do them all at once? spread them out a little bit guys so did anybody play like three years ago who played an audio service called banshee you remember that listen to the wacky portal sound so nobody got it the person who came closest no? alright somebody did I don't remember I don't think anybody solved it so banshee was an internet well okay it was a way file you download this way file and it was the portal song and it was really static and if you listen to it the static would only appear in the intervals in the song it would be constant throughout the song but the intervals between each tick in the static were deliberate because the static was an mp3 file in the way file and if you took all of the data of all of the static out of the file which you should have been able to do because the distances between the ticks were the same it was at exactly 44,000 and one killer it so every one and it was a big binary blob and the first chunk of it was an mp3 file and the second chunk of it was the first half of a one time pad the second half of that one time pad was read to you by a computer in that mp3 file so you'd have to listen to it and type it this was supposed to be really simple at first because it only used four characters so to type these four characters and so on together and have the answer and every time that somebody scored the code that created the way file would recalculate everything that I just explained so the idea is that the message would get longer so the longest message that it would ever use is the Microsoft Sam voice reading the entire Hackers Manifesto backwards and you'd have to type all that and then it would compute but I don't think anybody ever got it so I'm curious as to how it worked that's how it worked can we get the laptop on the screen here put CB's laptop on thanks, alright from the service I did it was really simple looking you just get the red dot to the green dot put in left, right, up or down not hard it's at the beginning you get 40 seconds to do a 10 by 10 maze so really simple then it progressively got harder you see there that's level 50 out of 300 you just, right now it would start out black and white then it goes to the colors are off by like one red green blue value so you're not doing it by hand and then you also got like 40 at the beginning and down to 10 seconds at the end and so after that I figured it was too easy so I started to draw some lines and circles on it and then people might be looking at the difference in the walls in the background color so then I started drawing alpha transparent rectangles on it because really I didn't want it to be easy so and then I also started changing file formats in case that made a difference some people were telling me they just threw out any JPEGs and kept refreshing so they kind of tried to combine them all, who knows eventually it got too easy even after all the rectangles so I figured I'll just take one of the pixels and just throw them out and just start drawing different colors all over the place I actually, there were two teams that scripted it up pretty nicely although they know that I bumped the level up to 300 at the end and neither of them could score so it's kind of sad about that I would like to see the source of the bots if anybody's got it I enjoyed writing several services for host CTF over the years let's see they were in no order almost FTP'd HT DVD BVDB but it's so much funnier if I say it quickly it's even more funny if CP says it it doesn't so much better than I can I believe the challenge name was HDDVDBVDBD yes exactly and just the joy that I would feel in my heart hearing CP say that inspired me to write this service so what this service was there was this daemon that would just kind of output a video file and the poor recipient of the video file would have to figure out what in the heck is in there they'd have to break it down see what text or clues is in there to get the input necessary to flag and score originally I just was making all these videos by hand but after speaking to CP one night when I was almost done that kind of stinks you should probably make it so that it gets a little harder every time automatically otherwise we're going to run out of levels and people will be sad and then I was pretty tired and wanted to stop working on this that night so I was kind of giving them some flack about that but I called Adam that night to get a second opinion and he said yeah that kind of stinks you should probably take care of that so at that point I pretty much rewrote the whole thing so that it would take a video convert it compress it render text onto each frame and then output that get a little harder each time it would do all these weird transitions like it would do kind of Rubik's Cube style filters on the videos and change various aspects about it it was fun to do though because it was really educational in those several hours that it got rewritten in I had to learn how to have how to write a program that would render text onto a custom video format and how to mess it up Rubik's Cube style and all sorts of jazz like that then the night before maybe it was two nights before I think it was the night before we actually left California for DEF CON I realized the hard way that the banner command which is what I was using to render text onto these videos is apparently not the same banner command all the time there's apparently a BSD banner and there's a GNU banner the one I based the program on was BSD banner in Slackware and the contest was running on Debian which had the GNU banner command and so there was more education there and let's see here I wrote a chat program as I think part of the ice cream shop clue delivery kind of strategy it gave you some good clues and some misinformation as well and half of the chat and banter that was in there came from Adam and I just being in a Yahoo chat one night just some hacker chat room and so we just pull out random quotes change the names to protect the innocent and enhance some of the more boring quotes to make them interesting and a lot of them didn't even need to be modified so there was one quote to this day I still can't understand now correct me if I'm wrong wasn't it what he's looking at me yeah I'm looking at him you get out of the way wasn't it a forklift will shift it goo it was they had the most ridiculous things that yeah they didn't make any sense at all it was great and that was just fun because apparently you can make a chat program and our chat server and I don't know like four lines of bash I don't know that by the way we're gonna release a bunch of our stuff so that you can actually see his videos as opposed to just hearing a description of them and you get to play with all the other stuff like stuff that nukes your boot sector and stuff CP made and I had a backdoor in my chat program which didn't really go very far because of the previous years where we're messing with everyone they kind of knew if you download code from us you should probably take some precautions before you run it so yeah um Adrian I helped out with the service last year there was IRC based Merlin wrote most of it so he deserves most of the credit but he's not here right now so I'm gonna do the best I can we had a couple IRC services and we we tried to encourage people that hang out in IRC with us and we were gonna give them hints about how to score and what to do but as it turns out a lot of people had their own custom IRC clients and even a couple of teams that were doing really well in the contest couldn't stay in our IRC channel because they trusted the server too much and we ended up crashing a couple of computers by just catting a 10 megabyte ASCII art of long cat and this actually brought down a couple of computers I believe from the Facebook guys so we found that pretty amusing I think Big Pimp at Thugalots was one of the few teams that actually managed to stay in our server for most of the time without getting disconnected and they scored most of our, I think they scored most of the IRC points can't even remember what most of the flags were and how they worked alright does anyone remember Happy Dance Happy Dance was probably the best service I ever wrote it took me 8 months total cause I didn't really know anything about firefox development and it was it was too faced you go to web page and you're presented with what was that movie boondock saints there's an animated gif of not yet anyway I don't remember you go to the web page you try an attempt to log in and it tells you you're missing something and just under the text that says you're missing something is a link to it so you go there and because it looks like adamsbuilder.org firefox implicitly trusts it and it takes one little click for you to install the Happy Dance authentication extension which authenticates you to Happy Dance authentication portals and I was really kind of surprised how many people did this I think it was just about everyone playing the contest and they install it, restart firefox and it comes back on I got that link after I went to this service, I'm going to go back to this service I'm going to log in again well this time you fail the login and you get told why, your password is wrong you have no access but something is different and you go back like what's the most basic thing I can do to a login form sql injection so use the typical textbook example of sql injection and there you go you scored you own the flag shit that was easy why was that so easy well because as soon as you installed the extension and restarted firefox it would send a plaintext ajax call back to a local server with all the stored passwords in the firefox password manager keyword plaintext which means it was on the whole game and nobody said anything all you had to do was sniff and wonder why your passwords were leaving your box and nobody did this including you feds who got raped I'm only a dog I only know things like sit and food and rape so yeah the ajax call would go out send all your passwords to our local server in plaintext and the return data would be arbitrary commands that would execute on the system at first it didn't really do anything and it would just send all your passwords so every time a new window opens every time firefox starts it does this so the traffic increases like 20% with plaintext passwords going back and forth and after a while and I feel we're at a hacker con we're playing in a hacking contest these are hackers they're not going to be dumb they're not going to have stored passwords in firefox they're not going to log in from work boxes that have stored credentials that they use for work on major company websites like oh I don't know Cisco or Sun or Oracle or universal gateways like 1.1.1.1 on their corporate networks and it was a lot of fun because it was so fucking easy oh you scored yeah you scored you win and no one really looked at the source code because they kind of fricking couldn't it was obfuscated out to about 47 pages if you were to print it out of size 2 text because this whole custom obfuscation in Python a bunch of other stuff that was all in math like cosine and sine waves and it just decoded to actual text and no one actually solved it in fact I believe one or two teams tried to decode it manually by hand and I think they got pretty far after the first day I think one person did get it by the end because all you really had to do was wrap the whole thing in document.write and it vows out and will print out the original source code someone goes hey CP you got the source code of the firefox extension I knew this was going to happen so I reached down there you go handed them the stack of printed out source code it was a lot of fun you're an asshole I don't have it on me but one of the things happy dance did like I said was the arbitrary command execution I could tell it to send another password back to me or send up an alert box every now and then you're like alright I'm going to just make it say CP is thirsty and every now and then someone will bring me a drink like what the hell was that about like oh you must be compromised and one guy is like hey how did you do that I'm like well I don't know you tell me and after a while we made it so every time you scored it would remove the javascript limitation from your browser so there's no script escape we'd load up goatsie or meat spin rather and then we freeze your browser so every time you scored yeah you got points but now you got to restart your browser which by the way sends your password back and checks for more commands to run well that was a lot of fun so one of the command trips five minutes all the command tricks I was doing was I'd send it new location data so the browser would just go jump around the screen that's pretty fun a big deal but the greatest part the greatest one was sending the restart command to firefox see the gears turning firefox turns on sends passwords, checks for command to run runs command, oh restart so you see firefox popping in and out popping in and out again plain text nobody saw it dozens of times a second 300 people have their laptops turning on and off firefox turning on and off and there's this kid I still remember this because I feel kind of bad about it but he's sitting here on his windows XP box with his head in his hands just not able to do anything because firefox is popping in and out he uninstalls firefox he reinstalls firefox it's still there because he didn't delete his profile additionally the extension removed itself from the installed add-ons list you couldn't uninstall it unless you were in safe mode quick I think we'll be outside if anyone wants to do Q&A there's like a room over there like a room in that way in our old direction yeah so thank you guys so much we had a lot of fun doing open CTF for the last five years it was an amazing learning experience an amazing teaching experience and a very exhausting experience so check out the new guys word of the wise those of you who ever intend on running a contest at DEF CON take the amount of time you think it's going to take you to make it and then triple it you might get close by the way real quick check out the new OCTF and his crew the tube warriors have taken it over now and expect really good things from them thank you guys