05-18-2021, 10:11 PM
There is a BIG issue i can see with it initially, and that's the following line:
We as a community typically do not allow for real hashes of any kind in competitions, even "public" breaches that have been anonymized. The hashes for CMIYC are made by the host team every year, specifically for the competition, and all plaintexts to all hashes are known by the hosts. This avoids any moral or legal problems for the players, as cracking hashes from a real breach is a problem for some. I think i can speak for my teammates on Team Hashcat in saying that they would have a problem with a competition using real hashes.
As for the competition itself, it's an interesting concept but I believe it has some limitations. One of the major things that sets teams apart in the larger contests like CMIYC @ DefCon is not necessarily who has "better attacks" or "better hardware" but who has the ability to adapt attacks on the fly and recognize patterns as they are cracking. Most of the attacks we start with are extremely naive, designed to just try lots of things and "feel around" for patterns. Once we think we see a pattern in the plaintexts, we stop and design an attack for them and then try it. If it doesn't work, we have to quickly try something else, constantly changing our attacks throughout the time period based on how much time we have left and what information we can gather from the hashes we've cracked. The format for "Hash Olympics" doesn't allow for any of this, it relies on the assumption that you can guess or figure out what attack would be best without any ability to adapt during the run. If I understand the format correctly, the best possible attack would simply be the most common passwords and most common rules, optimized for the most amount of coverage in combination. It seems like there's not much room for improvement there beyond maybe guessing a less common pattern that is present and getting lucky.
Code:
Moderator finds an actual database leak, removes the PII data and saves the hashes.
We as a community typically do not allow for real hashes of any kind in competitions, even "public" breaches that have been anonymized. The hashes for CMIYC are made by the host team every year, specifically for the competition, and all plaintexts to all hashes are known by the hosts. This avoids any moral or legal problems for the players, as cracking hashes from a real breach is a problem for some. I think i can speak for my teammates on Team Hashcat in saying that they would have a problem with a competition using real hashes.
As for the competition itself, it's an interesting concept but I believe it has some limitations. One of the major things that sets teams apart in the larger contests like CMIYC @ DefCon is not necessarily who has "better attacks" or "better hardware" but who has the ability to adapt attacks on the fly and recognize patterns as they are cracking. Most of the attacks we start with are extremely naive, designed to just try lots of things and "feel around" for patterns. Once we think we see a pattern in the plaintexts, we stop and design an attack for them and then try it. If it doesn't work, we have to quickly try something else, constantly changing our attacks throughout the time period based on how much time we have left and what information we can gather from the hashes we've cracked. The format for "Hash Olympics" doesn't allow for any of this, it relies on the assumption that you can guess or figure out what attack would be best without any ability to adapt during the run. If I understand the format correctly, the best possible attack would simply be the most common passwords and most common rules, optimized for the most amount of coverage in combination. It seems like there's not much room for improvement there beyond maybe guessing a less common pattern that is present and getting lucky.