DEFCON 27 & BSidesLV 2019 Takeaways: Part Two

DEFCON Past and Future Comparison

The last time I spoke at DEFCON was DEFCON 24, where I presented a talk on Solid State Drive forensics. My focus this year centered on my involvement in the National Collegiate Penetration Testing Competition (National CPTC), where I have a key role in making the event into the experience that it has become.

Our goal for the talks at the DEFCON villages this year was to increase awareness of the competition, speak with competitors and potential volunteers, and explore new challenge ideas for future competitions. After having met so many inspiring people who are excited to work with us, we feel our trip this year was a great success.

Packet Hacking Village/Wall of Sheep Experience

Our DEFCON experience started with kicking off the weekend of talks for the Packet Hacking Village. Fellow CPTC Advisory Board member Dan Borges and I delivered a 50-minute presentation providing an overview of CPTC, how the environment is built, and the educational goals of the competition. We also released the theme of the 2019 National CPTC event, DinoBank, and our plans to focus on a banking environment for this year’s environment.

Our presentation really struck a chord with Ming, who coordinates the Packet Hacking Village talks. This village is focused on education, and our competition and goals aligned perfectly with these objectives.

Big Thanks!

We’d like to thank Ming and the rest of the Packet Hacking Village/Wall of Sheep staff for the opportunity to present and their warm welcome on the stage. It was a pleasure working with all of you.

Ethics Village Highlights

Our second talk took a different approach, where Dan Borges, Lucas Morris, Jason Ross, and I formed a panel for the National CPTC advisory board. We led a discussion on the ethical challenges of teaching pentesting, basing our commentary on what we’ve experienced over the years of running this event as well as our own professional experience.

This panel heavily involved audience participation; we polled the audience using the Ethical/Unethical cards provided by the village, and we allowed audience members to share opinions and ask questions. We had a number of former and current CPTC competitors, coaches, volunteers, and those who were just interested in the issues present, which made for some very lively and interesting discussions.

I would highly recommend that anyone interested in or competing in CPTC review this panel once it’s available online, as we provided a lot of insight into our administration of the competition and some upcoming additions in 2019 and beyond. A few of the highlights include:

Team Interactions

We’ll be increasing opportunities for teams to interact with each other in 2019 and beyond.

Custom Tool Development

In the spirit of increasing collaboration, we’ve added provisions allowing teams to stage and use custom tools in the competition as long as they are made available to all other teams and documented. We are committed to providing educational value and supporting the community, and if teams want to work together to develop tools, we will support and encourage those efforts.

Rule Enforcement

Rule changes in 2019 give us significant flexibility to characterize attempts to circumvent the competition rules as unprofessional behavior. Our goals are to enforce the spirit of the rules, not to encourage teams to search for nuances in the wording of the rules to gain an advantage.

Competition-Specific OSINT

Competition-specific OSINT for 2019 is not yet available, but generally it is seeded a few weeks before the competition begins. There’s definitely a lot of valuable information that can be made available that can benefit teams during the event.

Ethical/Unethical Situations

Ethics is a key educational takeaway for the event. There may be cases where we ask teams to do something decidedly unethical to see how they handle this type of issue. If this were to occur, our goal is to provide feedback as to what the appropriate response would be as a teaching moment.

Publicly Available Deliverables

Teams should expect to see that more competition deliverables and materials are made publicly available moving forward.

Emphasizing Education on Ethical Issues

Overall, participating in this panel was a very valuable experience. We’re hoping that this is just the start of encouraging discussions on ethical issues and pentesting, as this is an area that our industry can struggle with and should be emphasizing.

Looking Forward to Future Events

While the talk and panel were the biggest parts of the weekend, there was a lot else to see and do. I spent quite a bit of time with fellow CPTC Director Lucas Morris, planning the 2019 events and looking for ideas for making our future events better. We took a bunch of photos and made lots of notes at several of the villages, and you should be seeing the fruits of our work in 2019, 2020, and beyond.

There was a lot that happened during my week in Las Vegas for BSidesLV and DEFCON; I learned a ton, shared some information, and met up with a bunch of great people– including a few HL clients– along the way.

As always, if you have any ideas or questions, feel free to reach out to me on Twitter at @tomkopchak and make sure to follow @nationalcptc for updates. Thanks everyone!