The below opinions expressed are the personal opinions of student President Michael Bailey. Not of Marshall Academy, the club’s adults, or any sponsors or related entities. Please drop me a note before making any judgements related to the article.

Maryland Cyber Challenge, aka MDC3 was easily the most disorganized computer network defense competitions I have ever participated in. This sounds like a cliche’d “Oh, well he probably lost and just isn’t satisfied” post. You wouldn’t even be entirely wrong in thinking that. But when someone shows up the day before to a competition and the keynote is bragging about the team about to compete tomorrow and how they always win, the bias is really rather evident. When every other team has 6–8 images to secure and your team only has 2, you can hardly call the competition fair. Why am I writing this article? To make sure people know that this total farce of a competition will not have a bearing on our ranking/reputation as a nationally recognized center of academic excellence in the field of cyber security, why (assuming we don’t) we did not register in Maryland Cyber Challenge 2015, and to warn future registrations.

An actual still from their highlight reel. They spelt Challenge wrong. I’m pictured around the center.

Why losing never really made any sense

We lost in a Maryland Competition, being watched by the Maryland Governor, run by a Maryland university, to a Maryland team. Let’s look at a significantly more impartial competition, like the CyberPatriot National Defense Competition. It is actually so similar to MDC3, they used the same scorer until CyberPatriot recently upgraded. Loyola has been registered for a few years now. We are a certified Center of Excellence, meaning on the national level we are on the top of our game. The recent state round at CyberPatriot had us pitted against Maryland in national listings, and Virginia had 5th place and 12th place with their top two teams, while Maryland had the 20th and 22nd. That’s with the networking scores, which MDC3 did not test us in. They tested us in images. If you only account for image scores, four Virginia teams individually beat the best team Maryland could dish out.

Actual gaps in competition

If you’re pressed for time or super bored, skip the issues pre-competition section. I’ll only even be giving a sample. I won’t even be listing everything.

Issues Pre-Competition:

The Workaround: When we asked for a new hash (an identifier to register into a round initially) for one of their two qualifier rounds, I asked CyberNEXS for a hash. They then looped in the university contact. The university contact then asked me to loop in CyberNEXS.

Please learn to email.

The delay: We got our ID for Practice Round 4 at 12:40PM. It wasn’t functioning. We got a functional one at 7:48PM. It took them 7 hours to generate a new one and we were up until midnight in an effort to get a full competition period. I subsequently expressed concern that similar issues may come up during qualifiers.

Failure to Launch: Volume 1: We didn't get a full qualifier round. Boo-hoo. We warned them, “please fix this before a qualifier!” They didn't. It got worse

Failure to Launch: Volume 2: In addition to the hash breaking, their front end scorer was completely non-functional. Meaning competitors could not see their scores.

In addition to the hash breaking, their front end scorer was completely non-functional. Meaning competitors could not see their scores. Security Irony: I was leaked a URL by a certain member of Maryland academia. It showed our score and where we stacked up against other teams. It was listed under the CyberNEXS URL, so it was clearly legitimate. Turns out it was an accidental leak, and the scoreboard was promptly taken down by round two.

Issues During Finals:

Icanhazinterwebs?: We had a very specific plan involving a few choice linux packages and sysinternals tools to pwn in competition. Little do we realize, we were never going to have internet. As captain I immediately noticed we had none and flagged down a white team member. He told me that if I had read the participant guide I would have known we would have no internet access.

From the participant guide:

Internet access was impacted by an unrelated event earlier today, and therefore all high-speed Internet lines are down. You will only have limited access to the Internet (well under 1M) while connections are being repaired. This means you won’t be able to do large downloads.

AKA we should’ve had internet access and they just didn’t read the participant guide.

Shortly after, I asked what we were expected to do (which was a non-question, but regardless) with our plan. He told me:

“You must simply hack other boxes on the LAN” — White Team

This was one of the few things in competition we were explicitly not allowed to do. We would’ve been disqualified with extreme prejudice since it’s a CND tournament and not a CTF tournament, which was happening the other day.

Windows Server 2008 Incident: We quickly found out we never had access at any point to Windows Server 2008. I immediately flagged down the white team for assistance with Server 08, but they said it’s online and functioning. We’ve got probably 50%-100% of our team as Microsoft Certified Professionals, with a few having actually worked as employees/interns in networking. It’s highly unlikely we were just using RDP wrong. After putting a ticket in within about half an hour, they finally started giving me valid responses about 4.5–5.5 hours into competition. They claimed it was an open ticket up until the last 20 minutes of finals. They silently removed it from the trouble ticket interface (meaning teams were not allowed to say they were having issues with it through the usual channels, basically admitting there were issues) and never came back with an answer despite getting a reminder every half hour from us. The red teamers also said they could not connect to it or see it on the network, meaning it was not valid.

Windows 7 Incident: The only box we had stable access to was Windows 7. This box was disqualified from scoring in the last hour since “most teams could not access it”. They claimed if most teams were having issues with an image, it’s only fair they remove it from competition.

The Vanishing Text File Incident: One of my members (massive veteran) claimed their box was reverted when they asked for a restart. The white team profusely denied the accusation, saying it was only restarted . I told my member to remain calm. I placed a text file in a hidden folder in the system and requested the box be restarted again shortly after. The text file was gone, definitively proving the box was reverted and not restarted .

. I told my member to remain calm. I placed a text file in a hidden folder in the system and requested the box be restarted again shortly after. The text file was gone, . Windows XP Incident: We had to hack into our own box to start. The credentials they gave us at the beginning of the round did not start, so we used the common Sticky Keys hack that was apparently already set up to break in. We then had our connection dropped every 60 seconds.

The credentials they gave us at the beginning of the round did not start, so we used the common Sticky Keys hack that was apparently already set up to break in. We then had our connection dropped every 60 seconds. IDS Incident: Their IDS was broken. We were told there would be an IDS. I literally trained with Snort and it was worked into our plan.

Imaginary Pre-Round: They gave us anywhere from half an hour or so to two hours (memory fuzzy) at the beginning of competition to go ahead and play around on the images. They weren’t entirely clear but they basically said it was a mock warmup that was totally planned. I still have no idea what they were actually doing.

Learn to math: We asked one of the white team members if it would even be possible to recover from our low score to first or second. He said it was always possible to make a come back. This isn’t true. If you’re grading purely on vulnerabilities retrieved and system uptime, and if a team got all of the vulnerabilities and have constant uptime, they would be undefeatable. This was my question. We never got an answer. The same organizer claimed there were always issues in CND tournaments, citing CyberPatriot running the same CyberNEXS engine. I told him CybeNEXS was dropped from CyberPatriot (verified by a Redditer saying:

CyberNEXS was phased out (if I recall correctly) in CyberPatriot 4, at least partially. It was still at Nationals last year, but non-functional. CCS replaced it for early rounds at first, but then replaced it entirely.

Again, the only stable box we had was Windows 7 and Linux. Linux was never hacked as far as we could see and Windows 7 was disqualified.

Issues After Finals:

I casually slipped technical details of what had happened to our mentor toward the end of competition. They met and ultimately the Perseverance Award was developed. It was handed to our lower ranking team (DREAM) and one of the Loyola Blakefield teams (Whom, by the way, I caught making a hilariously elaborate portrait on MS Paint on the Windows XP box when I went to go get lunch. Should I have looked? No. Did I particularly care? No. We were already out of competition). They were offered training for an exam that one can only take at the age of 18 and the chance to come back for a capture the flag competition (you know, the competition platform the college team did the day before and ended in a 7 way tie for 2nd place). The fact that they gave the chance to re-compete to the team that was ranked lowered than us in our club, was honestly, slightly suspicious. We are not planning on accepting the CTF invite should we receive it. The opportunity should not be seen as a glorious prize, but rather the chance for the organizers to redeem themselves. The Perserverance Award was never recognized in the press or when they published awards (with the exception of DonsCSC who took credit for it on Twitter).

Please note we were at MDC3 last year, and while it had issues, it was within the acceptable limits. We took 2nd Place last year.

Closing: You Mad Bro?

No. I’m simply writing this as a full explanation to our club members what happened, a red teamer or two who seemed confused about our situation, and as a warning to other teams that may register. This is also an explanation why we do not even consider this competition in standings. Did we receive prejudice since we were a Virginia team at a Maryland Competition with the Maryland governor president run by a Maryland University and the keynote the day before was started with bragging about the glory of DonsCSC? It’s not my place to theorize that. While I’m confident we are ahead of Loyola Blakefield in CND tournaments (see: CyberPatriot for the past few years at the very least, the only other common link to our organizations), I have absolutely no prejudice against their school, club or members. They’re doing incredible work and I think schools could benefit from forming similar organizations. Congratulations on the win, DonsCSC. Also no prejudice against UMBC by any means. They’re an incredible university and I’m looking at them as one of my top, if not my top, picks for college.