Forgot about t2 | Program beta out now

It’s pretty crazy that even Dr Dre managed to release new music since the last time t2 was organized. The 3.5 years without a conference definitely put a dent on the proverbial ’64 Impala, despite a steady stream of releases from our favorite artists. Even FSMCs performed live!

“They wanna know if AB still got it,
They say confs’ changed, they wanna know how we feel about it”

— Still t2

Coming back from the cold, CFP was one of the hardest ones we’ve had so far. The most brutal reviews and expectations for whether we curated a relevant program consisting of decent content or not comes from within the AB. “Why is that?” you ask sitting on a comfortable lobby bar sofa.

The Advisory Board of t2 has always had an aspirational goal of some day achieving certified status with the prestigious Security Vacation Club, yet we have decided to not submit an application until we can demonstrate a track record of at least twenty successful events.

On practical terms, using random puzzle pieces to put together a sensible picture, isn’t just dependent on the quality of individual pieces. It also depends on other ones on the table at the same time.

Right now we feel there’s a credible set of heavy hitters to warrant publishing our program in beta. Having said that, we are still working on it to make sure there’s the right recipe in the mix to facilitate those lobby bar discussions.

We still have about 25 tickets left. If you plan on attending and have not yet bought a ticket, it’s more or less the perfect moment (and second-to-last chance to do). The closer the event gets, the more likely it is someone comes and just buys 5+ at a time.

And yes, it’s on – with additional small print: a t2 Scarab challenge winner who uses a white ’86 Testarossa for ground transportation during the whole duration of t2’23 receives a free entry to t2’24 and t2’25.

t2’18 challenge winner announced

This year we altered the challenge format once again, and ran it in the form of a free-format application over e-mail between the 4th of July and 4th of August. Neither attempts at bribery nor cheating were noticed, which was a slight but acceptable disappointment for the Advisory Board.

As it has been the case in the past, the same names often show up in the Hall of Fame. Whether it’s the technical talent, persistent effort or being in the right place at the right time, Fortune favors the bold.

Congratulations Carl “Zeta Two” Svensson! Well done!

To demonstrate what it took to receive the ticket, here are selected highlights from his long application:

We would also like to thank everybody who participated in the challenge this year. Your submissions were greatly appreciated. In other news, the ticket sales have been active during the summer and we are expecting a flood of registrations once the preliminary schedule is released. To make sure you don’t miss out, register now to guarantee your place at the 15th anniversary edition of t2.

t2’18 challenge

Regular visitors and friends of t2 know our struggles with the annual challenge. The main purpose behind the puzzle has always been to find and recognize passionate people who have the talent, but sometimes lack the necessary budget to attend the event. We strongly believe in paying it forward and this tradition is something we want to hold on to.

For t2’18 the annual challenge will take a new form. To showcase technical excellence and prove you deserve a free ticket, all you need to do is submit an open application (preferably in ASCII format) over e-mail. Whether it’s your tool repository on github, awesome local meetup presentation, craziest exercise in memory manipulation, a recent bug bounty submission or something completely different, let us know. Supporting evidence goes a long way.

Rules of the challenge

  • The Advisory Board will select 0-2 ticket recipients out of the submissions
  • Challenge deadline is August 4, 2018 @ 23:59:59 UTC
  • Submissions must be sent to info-2018@lists.t2.fi
  • Criteria for selection is unscientific, tough but fair and may change at any time
  • Participants unestablished in the security industry will receive a scoring multiplier
  • The free ticket entitles to the same perks as a single regular ticket
  • Travel costs (if required to participate) are not covered by the prize
  • Decisions are final, but we still love you. It’s not you, it’s us. We hope we can still be friends.

t2’17 Challenge winner announced

This year’s free ticket was awarded at LocalTapiola HackDay to the team who discovered the most severe vulnerability. After a full day of analyzing, verifying and rating the reported vulnerabilities, we had a clear winner rising above the competitors.

Congratulations Harri Kuosmanen of team ROT! Well done!

We would also like to thank all the other teams and those participating in the challenge during the summer. The countdown to t2’17 starts now – see you on Thursday! (..or Wednesday night at one of the many pre-event meetups/lobby bar gatherings)

If you have ideas on how to give out free tickets to our 15th anniversary event next year, please let us know!

What ever happened to the t2 challenge?

So, the t2 challenge of 2017.. It’s over for sure, but not in a way we anticipated. Before we get ahead of ourselves, let’s get back to the beginning.

The challenge was originally created in 2005 to give out free tickets to people with fantastic technical talents – there were two tracks, speed and elegance. You could either win by being the first one to solve the challenge, or by submitting the finest write-up. The idea was that also those without a personal training budget had a chance of participating the event – in practice, many new talents got a turbo boost for their contacts and career in security.

The format was successful for almost a decade, until the successful completions, attempts and downloads/page views started to drop steadily. The numbers were coming down and there was no denying it – the format of each year’s challenge appeared to have no effect on this.

We tried to compensate by putting more effort into creating the challenges, and promoted them also on Twitter in addition to the traditional channels. Alas, this did not work and we pivoted to a bug bounty this year.

The challenge was open for three full months over the summer, and during that time our own tweets alone reached over 130 000 people. Further promotion was done on our own blog, and mailing list, in addition to Full Disclosure and DailyDave. In the spirit of past challenges, the rules emphasized quality submissions and finesse to allow people to focus on what truly matters. Most importantly, the target had been selected exclusively for the t2 challenge, and had not been previously subjected to a bug bounty.

Despite a major scope increase two weeks before the challenge end date, we received exactly zero submissions. Not one, not two, but Z-to-the-E-to-the-R-to-the-0. Talk about failing..

Our question now to you, esteemed fellow hackers is:

How should we give out the free tickets in the future?

Please tweet or e-mail us, we want to hear your ideas! All feedback on the subject is appreciated.

There is sunshine after the rain – our good friend Leo Niemelä invited t2 to judge the annual LocalTapiola Hack Day. That’s the where the story continues in the following post.

t2’17 challenge update

We are updating the rules slightly, and increasing the challenge scope to cover the complete LocalTapiola Bug Bounty program.

The basic rules stay the same, with these changes:

  • The in-scope domains are expanded to cover all the domains that are in-scope in the normal LocalTapiola bug bounty program as well
  • All submissions are eligible for bounties – the rules are the same as in the normal LocalTapiola bug bounty program ($50-$50k)
  • Only NEW reports are eligible – don’t duplicate current open and/or unresolved reports from the normal LocalTapiola bug bounty program
  • In any case of confusion or ambiguity between the two bug bounty programs – LocalTapiola reserves all rights to make wise decisions

Happy hunting!

t2’17 Challenge – a break from tradition

This year’s pre-conference challenge will be a t2 exclusive bug bounty. For more information on how to participate, please see the t2’17 Challenge page.

As we’ve been organizing challenges for over a decade, you might wonder why change now? For several years in a row, the challenge participant numbers have been steadily declining, despite increased efforts put into creating the technical puzzles, challenge descriptions and back stories, and actual promotion. It’s not just the number of submissions, but also the downloads and page views. Thomas Malmberg kindly pointed out that with conference challenges we’re competing for people’s time – this is the arena where also bug bounties play.

It was time for us to either adapt or perish. This being t2, failure was not an option and quitting is something you do for apps, not in real life. With conference budgets one simply does not organize a bug bounty – you need friends’ help for that. That is the reason we partnered up with LocalTapiola to provide you a t2 exclusive bug bounty, targeting a real world business application running in production environment. To make sure the spirit of t2 challenges is still there, we are emphasizing the vulnerability quality and proof of exploitability. The challenge is not a speed competition – the most elegant and meaningful vulnerability submission will receive the free ticket, and we have adjusted the whole bug bounty process to reflect that.

Once you convert someone else’s medium severity local file read into unauthenticated remote code execution, you start to value proper analysis and investigation into the technical details of a vulnerability. In other words, 2002 called – they want their apache-scalp.c back. The 15 year anniversary is a pure co-incidence, as is Dave Aitel’s headline keynote at t2’17, the stars just happened to align the right way, like good exploitation primitives after putting in the time and effort.

The challenge is dead. Long live the challenge.

We hope you enjoy the reinvigorated format!

Solving the challenge: 2016

Since the first event in 2004, t2 has released annual pre-conference challenges for the attendees, people interested in showcasing their skills or gaining free attendance to the event. In this video from 2016 Ludvig Strigeus and Timo Hirvonen walk through the challenge and show how it’s all done.

Even if you are not into solving challenges you can learn how Ludde created a complete taxi meter application with built-in casino games!

t2’16 Challenge winners

Carl “Zeta Two” Svensson from Sweden was the first one to solve the t2’16 Challenge. Well done! Congratulations!

The elegant write-up trophy goes to Alexander Polyakov, Russia. His write-up will be published soon so you’ll have a change to evaluate the submission yourself.

Congratulations to both winners! We would also like to thank each one of you who participated. Last but not least. if you have an interesting idea for t2’17 Challenge, please let us know – authors get a free admission to the conference among other perks 😉

t2’16 Challenge write-up submission deadline is 2016-10-08 10:00 EEST

This is just a short note to let you know that the deadline for t2’16 Challenge write-up submissions is 2016-10-08 10:00 EEST, after which the creators of the Challenge will select the winner.

Please remember that the criteria for the selection is the elegance of the answer. The solution must include a detailed description of methods and tools used. If you don’t know the definition of elegance – please check out the winning write-ups from previous years.