In light of the recently concluded hack.lu 2018 CTF we would like to put out some words about the challenge 'steg0' challenge we put out this year. 1/19

The challenge was supposed to be a kind of ironic comment about the guessing-intensive nature of a lot of steganography challenges rather than an actual challenge. 2/19

We tried to make this fact clear to the participants in different ways to make sure they take it as a comment rather than spending time on it. The main points in preparation of the CTF were: 3/19

1. An HTML comment in the challenge description stating that the challenge was actually fake
2. A description that mentioned that only an output of /dev/urandom was to be found in the download 4/19

3. A comment in the initial download zip archive stating "there_is_no_flag"
4. FluxHorst being the author of the challenge whom we (traditionally and presently) used mostly as a scapegoat in CTF announcements and challenge topics 5/19

5. The presence of a predecessor challenge in 2012 including a similar satire of the "recon" category
6. The fact that googling '"FluxHorst" hacklu' directly leads to the aforementioned predecessor challenge 6/19

We also monitored the reactions to the challenge as well as questions coming in. Different factors contributed to our belief that everything was indeed being understood as intended: 7/19

1. We answered any questions regarding the challenge by stating that the challenge was actually fake
2. Somebody stated in the IRC channel early into the CTF that he confirmed the challenge actually being fake 8/19

3. The IRC channel quieting down considerably regarding the challenge after the aforementioned message appeared in the channel 9/19

We also want to mention different things that went wrong from implementation flaws to our assumptions being flawed: 10/19

1. As far as we can tell no team actually saw the HTML comment in the challenge description
2. Participants do to not get alerted by challenge descriptions stating that the given download does not contain anything meaningful 11/19

3. One member of our team implemented the challenge on short notice during the night prior to the CTF with the idea only literally being 'head -c 1234 /dev/urandom > dl_file'. The member spontaneously added some stages (including the zip comment/encryption) 12/19

4. The script generating the encrypted zip was flawed, leading to the zip password being a single character 'e' instead of 'there_is_no_flag' 13/19

5. The predecessor challenge in 2012 seems to have received some criticism at the time (which the current challenge creators were not aware of)
6. We had no one actually reviewing the implementation of the challenge itself 14/19

In hindsight it became very clear that we failed to inform people properly about the intent of the challenge. In fact we should not have put it in in the first place. 15/19

We would like to sincerely apologize to all the teams who spent countless hours on finding something to see where literally nothing was to be seen. We value the time of the incredibly talented members of our community very highly. We essentially wasted it during the CTF 16/19

We would also like to apologize to the teams that feel like points were stolen from them because they allocated a lot of resources to solving a previously unsolved task in pursuit of getting ahead in the very tight race for first place. 17/19

We especially regret our decisions just before and during the CTF as a poor spontaneous decision and not properly correcting it seems to nullify the literally hundreds of hours which went into the preparation of the CTF. 18/19

We will make sure that this kind of challenge will not come up in any hack.lu CTF _ever_ again. We hope that many of you who were participating and were not affected by the particular challenge still had fun and learned something. Your FluxFingers 19/19