Recently the Layer One security conference had its annual gathering in Monrovia, California. This year though, I did something different for the con – I elected to not speak, but to participate in contests – I know many very talented folks who go to conferences and essentially avoid the talks to spend time with people they only get to see a couple times a year, and to play in contests designed for this very particular, very clever demographic.
Several years ago, Dark Tangent invented a contest at Defcon called ‘tamper evident’. The intention was to train hackers on how to defeat security seals of various types ranging from stickers, to clasps, to ziptie-like things and all sorts of bizarre stuff in between. The contest essentially was a box that that teams were given, and the box was sealed with anti-tamper tape or stickers, and inside the box there were more envelopes and seals that the team had to ‘undo and redo’ without any evidence of shenanigans (http://s3.roosterteeth.com/images/Cless4354447044055.jpg). This particular form of contest never really got me excited – because – well … it’s a box. And you had to come up with like, a $5000 chemistry set to tote with you, and the teams got so enamored with it that they’d rent ANOTHER ROOM and set that second room up as a fucking lab to do the contest. Well more power to those guys, but that sort of investment to defeat a bunch of stickers was silly to me.
… Until this year. This year the logic to the contest was applied practically (or as I said it at con, this is “the practical application of tamper”). The organizers of the contest rented a room at the hotel, and renamed the contest to ‘The Room’. In the room they had placed a few items with tamper-evident seals, as well as meticulously positioned things within the room to leak if they had been touched or altered in any way. Things like positioning coat hangers a certain way, moving books around, or cutting sections out of book pages to leave items inside. False light bulbs, coins hidden in various places, rugs and towels carefully arranged.. They really took the time to turn what used to be ‘a contest about a box’ into a full blown spy game.
The thing that made this contest DISTINCTLY different were the theatrics. The point of The Room wasn’t just to ‘get in and defeat seals’ (we were worried that once we got in the room it would just be a box on a table and a stopwatch and they’d say ‘GO!’), it was the concept of tamper in practice – this was a room that someone was staying in, and our mission was to ‘find out as much as we possibly could about them’. Clues, props, receipts, the position of things, hidden documents – it was straight up out of a bond/bourne movie. We were graded not only on the physical tamper items, but we were graded on how well we understood the plot/narrative. Since this was a mock ‘intelligence operation’, the objective was more than just ‘defeating stuff’ – and that made it SUPER SUPER interesting.
We arrived to the con a day early knowing that we would need some time for prep – and we ended up hitting home depot, REI and another store to buy a bunch of kit. Hilariously, the only kit I personally used was my flashlight (a headlamp would have been better), and my camera. My teammate and I brought full kits with us and used practically nothing. He used a heat gun and a bit of acetone and tweezers for a couple tamper seals, but overall the “actual tamper” part was only a small component of the other physical stuff in the room.
The theatrics really were top notch. At the start of the contest we were given envelopes. They instructed us to find a man with a suitcase handcuffed to him, and to ask him about ‘the cobbler’. Once we did that, he asked us who we were looking for, and we gave the name that was on our envelope. At that point we were handed a burner phone and told to expect a call. The call came in and instructed us to go to a certain floor to meet someone – and when we did we were given a room key and told “You have 30 minutes, tell me everything you can about the person staying in the room”.
At the end of the day, after all of the teams had made their runs, we were gathered up to do a walkthrough of the room so the organizers could show us all the things they did, and where they were hidden. At the end of the walkthrough, Schuyler says ‘And props to whoever planted the buttplug, that was hilarious and amazing’. The room went dead silent and everyone looked around at eachother. One team spoke up saying ‘we found the thing – we thought it was part of the contest. It wasn’t part of the contest?’. Schuylers eyes get the size of dinner plates ‘Wait.. so NOBODY HERE planted the buttplug in the room?’ – a volley of head-shaking and looking around at everyone else in the room followed. .. then roaring laughter.
“Do you mean to tell us that out of EVERY POSSIBLE ROOM that the contest could have happened in, we HAPPENED to find the one where some previous guest had left a buttplug hidden behind a drawer, then forgot it when they left?”
This contest is bound by the rules of reality – in that without great involvement, “every aspect” of the environment simply cannot be controlled – we were at the mercy of the hotel for the room, and we were randomly issued one with a secret buttplug.
“Fate, it seems, it not without it’s sense of irony” –Morpheus
I spent the rest of the weekend laughing and shouting ‘what are the odds?!’.
Everyone who played thoroughly enjoyed themselves, and supported the idea of doing it again. Hilariously now the “buttplug incident” has set a precedent to stash sex toys after your room-toss for the next team to find.
Overall the contest was wonderful, completely immersive and a great time. If you dig on spy movies and ever had the inclination to play in that world for a little bit, this contest is your chance. I really hope to either see it at other cons, or again at Layer One next year.