

Capture the flag 2013 - hamstah
http://ctf365.com/

======
rquantz
The apparent trouble with signup notwithstanding, this seems like great fun.
The thing is, I didn't find out about those problems, because I didn't even
try to sign up. I have no idea how I would go about getting started being able
to do this.

Can anybody suggest resources for lowly web developers to make our way into
security? Even if just for fun?

~~~
fduran
You may like [http://google-gruyere.appspot.com/](http://google-
gruyere.appspot.com/)

~~~
Ellipsis753
Thank you. I had not heard of that before and it looks very helpful.

------
mjolk
This will be interesting to see when finished, but it would be better if each
'Fortress" had to offer services, instead of dictating that each camp has to
run POP + Wordpress + some bullshit plugins. Also, this type of activity
definitely will break terms of service for internet service and hosting
providers, as well as potentially several laws.

~~~
dkokelley
> "...this type of activity definitely will break terms of service for
> internet service and hosting providers, as well as potentially several
> laws."

How so? Is the activity itself inherently against TOS or laws? It seems to me
that by running the competition, ctf365 intends to have users purposefully
exploit sandboxed systems.

~~~
mjolk
How do you define a 'sandboxed' system? What if I choose to run the
Wordpress/Django/Drupal/Whatever-CMS on a shared host? Cracking tools don't
often take into account the negative effects on non-target hosts, nor are they
generally tolerated by shell providers.

For example, see 'Prohibited Usage' for Linode:
[https://www.linode.com/tos.cfm](https://www.linode.com/tos.cfm)

Unless you're paying for raw bandwidth, you're subject to the ToS of each
resource provider along the way.

~~~
dkokelley
Hmm. I think my confusion comes from the assumption that each "fortress"
(server) is a virtual server hosted by ctf365.

From their rules:

 _Don 't try to conduct underground activities with your Fortress (system)
from our platform in the Real World (e.g. using our platform to spam others,
attack other servers on the internet and so on). We don't care who you are,
but we do care what you are doing in our home (CTF365 Platform). Please
remember that you are our guest and please behave accordingly._

I read this to imply that they will provide the "fortress". So when I say
"sandboxed" system, I mean a system provided by ctf365 on their own
infrastructure - infrastructure which permission is implicitly granted to
attack.

~~~
kerosen
Yes, we will provide the VPS and more, you'll be able to connect your own
hardware as a fortress.

------
joyeuse6701
I don't think there is anywhere on the website that explicitly tells you what
the objective of this is, nor exactly what a flag is (even if it is more of a
concept). As much as I can infer from it, in game instructions, they should be
explicit.

------
kyle_martin1
Interestingly, they're using the same technique for the cloud effect as that
Japanese energy drink site that was posted here not too long ago.

~~~
talmand
I hope their use of imagery from the Captain America movie is covered under
fair use or derivative work.

[http://comicbookmarks.com/wp-
content/uploads/2011/08/detail-...](http://comicbookmarks.com/wp-
content/uploads/2011/08/detail-6.jpg)

~~~
kyle_martin1
Agreed!

------
gailees
Love it. But very janky website makes me worried about the quality.

~~~
grey-area
It's a good illustration of a misuse of the webapp single-page formula for a
simple informational site. This could have been simple HTML with a proper url
for each page, so that you could actually link to the subpages, but instead
they're trying to load the content in with js, and performing terribly with no
feedback on clicks when I last looked.

The actual content is here (and loads pretty quick as it should):

[http://ctf365.com/pages/game](http://ctf365.com/pages/game)
[http://ctf365.com/pages/rules](http://ctf365.com/pages/rules)
[http://ctf365.com/pages/prize](http://ctf365.com/pages/prize)

Looks like a rails site, not sure what all the gmaps code is all about,
perhaps backend pages?

A fun idea, but I'd prefer if they just specified a simple set of services
that you have to support, say something like:

IMAP

Serve this json

Serve this html and let people edit it

Serve this information from any db and let people edit it

and leave the backends to people's imagination. It sounds like they're going
to actually specify different CMSs etc, and installing browsers?!?, when they
should be specifying what protocols and data are required - that would let you
use whatever service and backend tools you wanted.

The maps on the blog look pretty though.

------
grimtrigger
Is there anything to stop me from signing up random people's websites?

~~~
BWStearns
Per another branch of the conversation, they set up the servers, you just
control them, so the entire conflict happens in a relatively sandboxed
environment.

------
kerosen
CTF365 It's a Startup on bootstrap mode (self funded) that will change the way
Information Security is learned. We try to do our best with very few
resources. No seed money, no Kickstarter money but full of passion and
dedication.

------
duked
Tried to sign up and got the same message no matter what email/password I use:
" Invalid email or password. "

~~~
IronWhale
Oh, btw, for sign up there is no password field. You must be using the sign in
form (it could still be a bug, e.g. Clicking sign in shows the sign up form
for your browser).

------
BWStearns
Anyone interested in making a HN team? (possibly a few given that it's limited
members/team)

~~~
andrewbuss
I'd be interested in joining one if there is space for someone with limited
administration experience.

~~~
BWStearns
Shoot me an email, brianw.stearns@gmail.com. I have [very] limited practical
admin experience, but I will try to scare up a friend who can devote some time
to it.

------
stephengillie
Mobile browser fail

Edit: The signup/signin box is half off to the left of the screen.

------
IronWhale
This is cool. Please hammer home the C&C nostalgia - we all love it.

------
neumino
Looks like they got too much traffic...

------
thejosh
Really hard to read the text, but really nice homepage.

~~~
recursive
How is that possible? What's the purpose of the homepage?

------
Buzaga
wish I knew anything about hacking to play this, just know development :(
setting up the server would be some work to me already

~~~
stephengillie
Hopefully they'll at least link to good configuration sites for each service,
to give new players at least a fighting chance.

I wonder how long it would take someone to spin up a script to install all of
these services...

 _SMTP, POP, IMAP, FTP, etc., one CMS + specific plugins, 2 different internet
browsers, 3 web applications & at least 2 different databases_

So...a mail server, file servers, multi-webhost, databases, and CMS with many
plugins. I assume that "different databases" means different database stacks
on different clusters, not "both MySQL and SQL Server 2012" on the same
server, right? (In Windowsville this would all be within an AD domain, I'm not
sure what the Linux equivalent is.) Will there be a required volume of
photo/social datamass to be stored on the server? Maybe instead of some kind
of "flag file", we'll have to store embarrassing photos of ourselves?

Who installs a second browser on a server?

~~~
herge
Who installs a first browser on a server?

~~~
stephengillie
1\. They come preinstalled on some closed-source OSes

2\. How else would you connect to a datacenter server's integrated lights out
(ILO) webpage from a bastion server within the datacenter and domain, to which
you're only allowed an RDP connection?

