ECSC in Hamar, Norway
Table of Contents
The European Cyber Security Competiton 2023 (henceforth, ECSC) in Norway was so much fun. It's definitely one of my favorite trips and travel competitions. It was also one the biggest dumpster fires I've had the pleasure of witnessing.
I think ECSC is the most presitious annual cyber event for people in the EU. I say, "I think", because I don't live in the EU, but that's what it sounded like from talking to people. The energy there has more hacker spirit than any con I've been to. And since they're nice they let us (the United States team) come and play on the guest leaderboard!
I went to Oslo and Hamar as part of a ten-member team for the US Cyber Games (AKA Katzcy, you can read my opinion on them here). The travel was insanely stressful, the event was held together by toothpicks, glue, and dreams, and they halved our score by not knowing how to use LibreOffice Calc.
I had never been to Europe either, so it was super cool to be able to go for free, and have a planned event to do while there. My goal is to talk about the competition but also just a fun Norway trip :) I respect your time though so I'll stuff the travel blog stuff in detail dropdowns.
Travel to Norway
All the flights and accomodations were paid by Katzcy, but they sure ain't paying for nonstop or business class. I had a connection in Amsterdam, but otherwise it was pretty painless. I also do not speak Norwegian so I had to do some guess and check at the train ticket station.
cat traveldetails.html
Embarking to the great Euro-land
I flew through Amsterdam and had to stand in line with all the other clueless Americans... people were stressed about missing their flights, and the line for customs was horrendous. I was kind of sleep deprived so I just time warped through it, it took maybe two hours. And straight to another flight! I would have liked to spend more time in central Europe (please pick me to go to Italy next year Mister Katzcy).
You know how Mexico is always portayed with a thick yellow filter in TV and films? I kind of expected the Nordic countries to be like, a blue filter. And they actually kind of were! This was in October and everything was seeped in a nice cold blue-gray.
Solo travel pre-gaming
I thought it would be a great idea to arrive a couple days early to enjoy the free vacation. When in Norway, after all. I also thought all the other cyber freaks would join me... but they did not lol. I was the only one around for about two days in Oslo. Since I had to find my own hotel I got an airbnb with a very nice old lady. And oh boy did the wooden floorboards creak when I got back at 11:30PM from trying to visit boba shops.
The jet lag and tranquility of the Oslo "suburbs" put me in a kind of trance. There was a botanical garden (a very sizeable outdoor museum) maybe thirty steps north from the airbnb, where I spent a couple hours walking around in complete slience, observing all the plants, taking refuge from the cold in the tropical plant house, and pretending to know Norwegian. I really enjoyed this time. It was like visiting an alien planet. Nothing was familiar, but it was still comforting. I spent a lot of time thinking, what do I really want to do with my time? I'm here for a CTF event. I'm having fun, but I'm not even really a CTFer.
Saunas
One of my favorite experiences was the saunas on the fjord. The idea is, you steam yourself in a sauna then jump into the ice-cold water. It was only a couple bucks for access to a self-run floating sauna. The first jump was such a visceral shock, it felt like I couldn't breathe. But it was very refreshing and engaging. Definitely makes you feel alive.
Apparently this is more of a Finnish thing-- the competition venue (in Hamar, a smaller town) did not have any active saunas. This did not stop the Finlanders from walking into the freezing lake at 9AM.
Tagentially, what makes a good travel experience? My good compatriot Samwise and I have developed the ideology of the "full body experience." Essentially, I get sick of looking at things pretty quick. Love a good museum or two, especially if you can touch things (like a garden museum). But my eyes have limited throughput. The other senses are untapped bandwidth! Tasting, diving, moving, manipulating, running, smelling, falling, sneaking, freezing... these all make for super enriching experiences and they're the ones I tend to remember the most.
Team Video
We met up with a gaggle of other USCG competitors, and the team was informed we had about two hours to prepare and submit a team video to be played at the opening ceremony. Ok!! We stood outside the Edvard Munch museum (yes I did get a picture with the scream) and fed some very bitey swans. We slapped a two minute video of that together with Triple Baka as the soundtrack. We finished editing on the train (with Blender, FOSS for life) and uploaded it right before the deadline.
Predictably, it was not played. Nor was the other video made by our teammate who lost their passport. Oh well. Maybe the real flags were the friends you captured along the way.
En Route to the Vikingskipet
Enough bumming around Oslo-- it's time to compete. RAHHH!!!! After some shenanigans with losing our locker combination, we went to the stasjon (prounounced stas-john) to hop on one of them train lookin' things to Hamar. Hamar is a relatively tiny town and we got there at 8PM, so it was pitch black outside. That didn't stop us from walking thirty minutes to the VIKING SHIP OHHH YEAHHH!!!! The venue was massive. It was also the site of the 1994 Winter Olympics, as was impossible to forget because they kept saying it.
The orientation was very boring. A lot of sponsor talk.
ECSC
ECSC Norway was a three day event, two jeopardy days with an attack defense day in the middle.
What are the possible mistakes you can make when running a CTF? Ok, now how many can ECSC Norway fit in three days?
- ✅ Never starting on time
- ✅ Not releasing challenges on time (even the delayed time)
- ✅ Not releasing only some challenges
- ✅ Not releasing only some challenges to only some teams
- ✅ Bad credentials for A/D platform
- ✅ RCE in A/D challenges
- ✅ Broken challenges
- ✅ Re-used challenges
- ✅ Arbitrary rules, poorly enforced
- ✅ Banning swearing then punishing it by reposting offending messages in the announcements channel
- ✅ Multiple stupidly easy challenges made in-house
- ✅ Only firewalling off some teams
- ✅ Broken scoreboard
- ✅ Broken scoring
- ❌ Shooting competitors with a gun
So I suppose it could be worse. One of the biggest culture shocks for me was that the Europeans are absolutely brutal. They have no mercy and will mock the organizers' incompetence through any avenue available to them... This is what every message looked like:
That would never fly in the US of A. We would just mock them behind their backs. It did sometimes seem like the organizers were intentionally being obtuse or malicious, but the rest could be an accident. (They banned swearing, including "lmao", and someone was manually muted for bypassing the filter with "lm*o"...).
There was a pretty clear split between ones written in-house and the outsourced ones. If the outsourced ones weren't reused or leaked in other events, they would have been good challenges. But the in-house ones were trivial, and seemed to be written in a hurry. For the RE ones (I was on mostly RE for this event) they were straightforward in GDB or solveable with angr. I solved ~3 before the just the hard ones were left.
Although, there was this one really good HackTheBox challenge that was a "backdoored" verilator binary, so it was a simulation of FPGA code (verilog). angr predictably was not having it, and it was super dense. I spent most of the rest of my time on this and didn't solve it (many thanks to astrid for explaining the solution after the event). I think if I tunnel visioned less and thought more about how the chall was designed then I would've had a better shot, since typing "si" into GDB and seeing what changes is my main skillset, but also skill issue and it was a good chall. I heard the hardware chall was also quite good.
We were very briefly first place on the guest leaderboard 😎 Since we are not, in fact, Europeans, we are on the guest leaderboard (with Canada, Singapore, Serbia, Georgia, and Costa Rica). The competition is much easier than if we were competing against all the EU countries. To win guest leaderboard you probably only have to place ~10th overall.
Attack/defense day was a nightmare. A/D events are much harder to run than standard jeopardy, and the jeopardy was a tire fire. There was supposed to be a grace period where teams had an hour to fix their services and write sploits before the network opened, but only SOME teams were firewalled off! So some teams could access all boxes from minute zero. And throw in all the usual problems, like not having access to Gitlab (where we needed to submit patches), and broken challenges.
Naturally, some of the services had RCE (remote code execution). A/D services are not supposed to have RCE, since then it turns into a host OS defense/attack game like CCDC. Almost all the services had RCE or a flag DOS (where you could delete previous flags, so a race condition). Canada spent most of their time pilfering flags from the RCE boxes, and somehow we still beat them out on A/D score by a lot.
This was the first event where the exploit thrower I wrote was used. I basically spent the whole time fixing it, which is a soft throw by itself. (Perhaps I am the exploit thrower.) It was pretty disastrous but we did win A/D day by a pretty huge margin! We almost doubled the next team on the guest leaderboard. Due to team secrecy I won't talk about everything I screwed up with the thrower but rest assured it was bad. Writing code while panicking and having nine people actively use it is NOT conducive to good software.
Food and Lodging
So yes, the competition was a flaming trash heap. But the lodging, physical logistics, and food was legitimately awesome. The hotel breakfast was the best I've ever had. The banquet hall dinners were excellent. Their fanta is way better than the USA version.
There's also this delicious chocolate banana marshmallow, I've never had anything like it. Its name? BANAN. Deilig bananskum! I love banana scum. They were very tasty. Top five favorite snack desserts for sure.
Scenery
Hamar has a ton of public parks and other fun things to do outside. Along with all the fjords and lakes and stuff. The Norway motto is apparently, "there's no bad weather, only bad clothes!" While I disagree, it was very pretty. You only had to walk for about 10 minutes from the venue before being at the water.
(After the event we went to Gjøvik.)
This event was three days with more time between, so I had a lot of time to hang out with the team, go on fjord walks, search for saunas, and eat out. After every event I always feel so grateful for my teammates and the fact that I get to do stuff like this.
The Awards (AKA Spreadsheetgate)
Originally, 50% of the score was A/D and 50% was jeopardy. But they screwed up A/D so bad that at the end of the event, they decided to lower the percentage to 25%. If they maintained the original scoring, we would've been 1st in the guest category. Oh well, I'm happy with 2nd.
We're at the awards ceremony, looking down at the stage. Guest leaderboard announcements... third place... Serbia. Ok, ok. Second place... Singapore. Wait no way! We got first?? First place... Canada.
A solemn blanket of disappointment falls upon the gamer crew. We got fourth? Out of six teams? Really? Our only solace is hitting up the local Norwegian American style Italian pizza joint.
Later that night, they finally release the score spreadsheet:
................................the organizers copied and pasted the formula from another spreadsheet that had our row position with a different score multiplier. So they effectively halved our A/D score, which was our best score.
Here is the incorrect spreadsheet, notice the 4000 only for team USA's AD points:
Here is the fixed sheet. We went from 4th (15442), to 1st (19442)!! In reality we got 2nd since the multiplier was supposed to be 4000 for everyone (that's the A/D points being halved). But if it was 8000 for everyone!
There was never an official announcement for the placement change. But we did talk to one of the organizers afterwards who apologized for the trouble. It kind of felt like he was forced to do it and it was extremely awkward, but I appreciate the sentiment. Oh also during the awards ceremony they exited presenter mode and accidentally flashed the slides announcing the winners. Naturally someone took a photo within the 1.5 seconds it was up and posted it in discord.
Travel Hell
Likely due to my own travel skill issues, the way back was very... logistically challenging. But I made it!
Tell me about it.
WELL, since you asked...
It all began when I was setting my alarm the day before. I spent a good 10 minutes at 1AM trying to figure out why my alarm for 6AM was not correct (the "hours until alarm" was wrong). Turns out, it was daylight savings time in Norway that night! Why? I thought DST was a uniquely American mistake.
I wake up a couple hours later feeling like I hadn't slept. I took the bus to this airbnb in the middle of god damn nowhere, because I thought it would be closer to the airport (it was by distance, but not on any major metro line-- stupid car-brained idiot). I needed WiFi for the bus ticket (whose idea was that?), and the WiFi didn't extend to the road. I had 60 seconds once activated before the ticket expired. So, as soon as I saw the bus approaching, I hit the button and ran to where the bus had stopped the day prior. Only for the bus to stop about 100 feet away on the OTHER SIDE OF THE ROAD, and continue on, without picking me up. The bus was coming from the opposite direction........ I thought it would stop at the same place.
Ok, so. I can take a taxi. That's a no-go, I have no service. I am now locked out of the airbnb as well, and nobody is around. I could run to the train station, which would take about 50 minutes running. The next train time (cached offline) is in an hour. AHHHHHHHHHHHH!
I sweat and beat my heels into the ground, running a couple miles with a heavy backpack, full of my fancy Norwegian chocolate. I make it to the train station, find the one working ticket station, and buy a ticket to Oslo.
Ok, all good. Until I get to the airport. My flight is canceled?! Oh, I've been rebooked. I had to print my tickets to find out since there was no notification on the departure board. Ok, no biggie, I can cope.
I fly to Amsterdam. The transfer is across the ENTIRE AIRPORT, and the flight from Norway is delayed by an hour. My layover? An hour. I have to sprint across the entire airport, going through customs. Again with the sprinting. I am so sweaty and so smelly and so tired. I run what must be at least two miles across the airport. I run into someone else along the way who is also running, and also has an American passport. A friend... "Going to JFK?" "Yeah." That's all we said, continuing to run. Every step the strap of my backpack digs into my shoulder, throwing me off balance.
I arrive 40 minutes after boarding starts, and the line is still huge. I'm in the very back of the line, grateful but also mad at Amsterdam airport. When I get to the front, I hand my SSSS-marked boarding ticket, and I am asked to step aside for additional screening. The two presumably dutch men take a thin piece of cloth from the American-made explosive powder detection machine, run it across my shoes, hands, and bag, and put it in the machine, where it does some laser crap to test for it. And it says, POSITIVE! ???? They are befuddled. Clearly this has never happened before. They elect to try again rather than shoot me in the head. The same cloth is now fire hot, and they run it across my shoes and hands and bag. Putting it back into the machine, it comes back negative. Thanks, security theater military industrial complex.
I am finally let on the plane as the very last person. At this point I am legitimately rancid and I do my best to not move too much or breathe too deeply. I have time to bathe myself in the bathroom sink during the flight, until we get to JFK, voted people's least favorite airport for 300 consecutive years.
As soon as I land at JFK and have service, I get a text that my flight has been delayed from 9PM to 11PM. When I leave terminal 1 (international), I am already spit outside of security, so I'd have to go through security again anyway to get on the domestic flight to BWI. "Wow, that's four hours," I think, naively. "That's a lot of time to explore New York!" I always wanted to go to Flushing to try the boba places in their chinatown.
I hop on the air train to the red line. I take some busses and accidentally steal some rides (I didn't know you had to scan in and out). They don't seem to care, and they do not check that you paid. I try the boba places. They are amazing. I get dumplings from a food stand with a "B" health rating. Wow, that's culture. Then, I get a text on my phone. Your flight has been moved to 10:20PM. What?! They can move flights UP? I thought that was illegal? Ok, 40 minutes, that's not bad. I have to skip a couple boba places and hop back on the bus. My phone is almost out of battery and the bus I am taking does not have functional stop indicators, so I really have no idea where I am without GPS. I ration battery and use organic maps to make the most of it.
I'm at the air train again, almost back to security. It's 9:30PM. I get another text. Your flight has been moved to 9:40PM. WHAT?! I was already walking quickly, but I start sprinting. When I arrive at the security line, it is stupidly long. It is the longest security line I had ever seen, by several orders of magnitude. I stand in line for about 5 minutes before I see that it will easily take five hours to get through. My stomach contents is 90% tapioca pearls. My flight is supposed to board in 10 minutes. If I miss this I will have to lose $200 bucks on a flight, stay overnight and miss work, and I do NOT have any remaining PTO. (This was before I started being an LWOP user.)
I was turned away from the TSA precheck line earlier, for reasons unknown. But I'm standing next to a woman in line who decides to make a break for it and check the precheck line anyway, and she doesn't return. I have five minutes until they start boarding. The only way I'm making it through is the precheck line. I spent my 80 dollars to not have the government grab me by the ankles turn me upside down and shake me violently, and I want my value.
I find the line, which appears to be closed. "Is this the precheck line?"
"Yes, but it is closed." The employee is not happy to be talking to me.
"Closed? But the airport is open." I respond. My blood pressure is so high that if you pricked my finger it could cut steel.
"Precheck closes 9PM." He turns away from me.
My brain expands to encompass the entire known universe. One of the busiest airports in the world...... precheck closes........ at 9PM. Why?! I contemplate committing suicide and/or simply teleporting through security by sheer power of will. Before I remember my golden ticket.
"I was talking to a women just a minute ago, she made it through," I gamble.
The TSA employee acknowledges me as a worthy enemy. "She was advantage plus member," he suggests. He waits a brief moment for my repsonse, then senses my weakness. "The line is closed, please go over the main line."
I know arguing never works but I have to try anyway-- "I'm TSA precheck and my flight leaves super soon," I say, handing him my boarding ticket that still says 9PM. He looks at it, then looks me up and down. My hair is matted with sweat, my eyes are bloodshot, and my skin is so greasy you could stir fry dumplings on it. He decides that he has not yet done his good deed for the day. "Ok," he mutters, and lifts the ribbon blocking me, and waves me through.
"Thanks!" I rush before he can change his mind. What?!?!?!?!?!?! I can't believe that actually worked! I thought I was going to have to sleep on the concrete outside and defend my turf all night. I'm through security in 5 minutes flat, I sprint to my flight, and they are predictably, delayed. I have about 15 minutes before they start boarding. Perfect time to go to the bathroom and drown myself in the toilet.
Concussion
Based event, super fun, would do again. Best wishes to the organizers although I don't think they'll ever live it down