Defcon 26 OSINT CTF Contest Rules & Description

Overview of Trace Labs: Trace Labs is a non profit organization designed to bring hackers together to help people on the worst day of their lives. When a close friend or family member goes missing it is devastating to the family. While most people turn up, many do not and suffer unthinkable fates. The family they leave behind never knows what became of them. Trace Labs is a crowd sourced platform to help with this situation. Toronto Defcon worked with Trace Labs on July 26, 2018 to offer the world’s first open source intelligence CTF for missing persons and successfully located two people.

Defcon 26 will be our second event and promises to be even bigger.  You are part of history in this event.

Event Description: The Trace Labs open source intelligence (OSINT) contest for Defcon 26 is a Capture the Flag (CTF) format which is standard for InfoSec conferences. However, what separates this from others is that the people we are collecting intel on are real. The contest focuses on real missing persons around the world and the information we collect is sent to the respective authorities in an effort to assist with the location of these missing persons.  Flags and weight of flags is outlined here (and in Slack): https://www.tracelabs.org/getinvolved/ctf/

Objective: Our primary objective is to collect intelligence on the missing persons. The secondary objective is to find the missing persons. As a contestant, you get points for both and the most points win. Points for locating a missing person are substantial.

Rules: Please follow the rules. While we know there may be misunderstanding, our targets are real people with real families.

  • Anyone can participate in this contest. You do not have to be a Defcon 26 attendees to qualify as contestant.
  • Rather than teams, the DC26 event is individuals.
  • You do not need to be physically in Vegas with us to participate. You are welcome to compete virtually.
  • Contestants must be registered with Trace Labs. Registering here gives you both site and Slack access: https://www.tracelabs.org/accounts/register
  • Attacking any Trace Labs infrastructure will result in disqualification
  • Attempting to exploit any other players will result in disqualification
  • Contacting the target, family of the target or friends of the target will result in disqualification (this includes tagging, liking or any other interaction). Basically, performing anything but OSINT will result in disqualification. This means you don’t “friend” or comment on any social media related to the target.
  • Using passwords from publicly available breached data will result in disqualification. While the data is public, the use of that data is illegal, immoral and not in the spirit of Trace Labs mission. Using tools to see which of their accounts have been breached is however acceptable and encouraged.
  • To score points, your intel must be verifiable. This means a link to the public information you discovered. A screenshot followed by a destination/source URL works perfectly. We will click on it to confirm.
  • Only open source intelligence is used for flags. No points are awarded if you cannot show the URL. All flags must have a URL we can check.
  • If you have public data (such as meta data) that is not available via link, show us the process for discovering and it may be allowed.
  • You cannot create the intelligence. We will be checking this.
  • Do not engage the authorities in any way. At the end, the contest organizers will send them everything we collect.
  • If in doubt, ask us. We will be happy to provide guidance. Questions, concerns and recommendations can be sent to:  info [at] tracelabs.org or post in our dc26-help Slack channel.

Prizes: First prize was recently announced. Julie Clegg the famous investigator from Hunted and the World Class Investigator podcast will be providing two consulting sessions with the winner. Hunchly will be providing licensing to the top 3 winners.

Duration: Friday, August 10th  through Saturday, August 11th. Contest runs 24×7 for 2 days. However, point collection will be done from 9am to 5pm each day. Final tally on Sunday morning. Operation details will be dropped into each Slack channel at 9am (Pacific time zone) on Friday morning.

Platform: For ease of use and convenience, Slack will be used. You can sign up here: https://www.tracelabs.org/accounts/register/

The Slack channels you will include:

  • dc26-general: General discussion on the event. Please keep general banter here and not in the op channels as those are for intel submissions.
  • dc26-support: Requests for help. If you need something or have a question for the admins, do it here.
  • dc26-op-#: The # will vary as we have a few operations. All evidence needs to have a link to allow verification. For example, you can submit a screenshot of what you find but ensure it is accompanied with a link to where you found it. *You will get extra points for adding details on the relevance of your intel *
  • Current channels are (we will add more if needed as the contest progresses):
    • dc26-op-1
    • dc26-op-2
    • dc26-op-3
    • dc26-op-4

Flags: While there is a base scoring system at the link below, we realize that we can’t list all the useful flags. We will monitor the Slack channel and award points to flags as these are discovered. Remember that relevance is as important as the intel. Tell us why it is important and expect more points. Base CTF flag list is here: https://www.tracelabs.org/getinvolved/ctf/

Support: Please email info [at] tracelabs.org any questions. Also, in Slack you can ask questions on the Support channel.

Scoring: We will make every effort to do scoring in close to real time but there will be delays. We are a small team that occasionally need to take bio breaks. At minimum, we will ensure the scoring is done at the end of each day.

FAQs:

  • Q1: Can I get points for different cases?
  • A1: Yes we will total your points across all cases.
  • Q2: How do I know when my intel has been reviewed and points assigned?
  • A2: Judges will put a thumbs up emoji mark on the intel and put the number of points assigned soon after that.
  • Q3: What if there are no points assigned to my intel?
  • A3: Let the judges know in the dc26-support channel.
  • Q4: What if someone else has provided the intel I found?
  • A4: For DC26 we are only allowing one contestant to score on specific intel. This means every submission will be unique and you will need to build on top of what was already submitted. We are using open channels which allows you to see the intel and some of the OSINT techniques in real time. We think this will provide you the most value.
  • Q5: So all contestants can see all the intel everyone has submitted?
  • A5: Yes. This is by design. We don’t want people doing the same work but instead building on top of what has already been done.

Contestant Tips:

  • All submissions on op channels should contain 3 details. 1) The evidence (might be a picture or a name). 2) The link to verify the intel (link to the picture or profile). 3) Brief details on why this intel is important and relevant (ie “this is her best friend” or “he was with this person the day before.”  If the judges can’t understand why you are submitting this you risk not getting points. If you show relevancy, you are likely going to get bonus points.
  • Watch the op channels to see what evidence has already been submitted. Remember you won’t get points if it has already been submitted.
  • Please keep chats in the dc26-general Slack channel and not in the op channel. If we have lots of noise in those channels, it will be harder to see your intel.
  • Please keep help requests in the dc-support Slack channel. We will be watching that so we can help you as soon as possible.
  • Really stuck? Check out sites with OSINT tool selections like IntelTechniques by Michael Bazzell.
  • Submit one bit of intel at a time to ensure judges capture all your points.
  • We are expecting a lot of data, especially at first so don’t be surprised or alarmed if we get behind. At the very least we will catch up after the event closes on Saturday. 
  • If we catch you making any contact you will be disqualified at minimum. You may also be interfering in an active police investigation. Look but don’t touch. No friending, tagging, commenting or anything else except evidence collection. It will be tempting but please refrain.
  • Also, please don’t use public breach data to log into their accounts. This is illegal and we cannot use that for points. Its important that we refrain from these techniques.
  • While this is a CTF, it is also designed in such a way to maximize learning opportunities.  Don’t hesitate to reach out for assistance or questions.

Sound interesting? Sign up here to get registered on the site and Slack channel: https://www.tracelabs.org/accounts/register/

Leave a Reply