During DEFCON the FTC doubles down on hacker games with Zapping Rachel

an LED lit jolly roger

Welcome to DEFCON

DEFCON is an annual convention hosted in Las Vegas for members of the computer security/hacker community to come together, learn from each other, and party with one another. Compared to its sister conference, BlackHatUSA, DEFCON is more of freewheeling party with 15,000 of your closest friends where you occasionally learn new things. More often than not it’s just full of shenanigans.

So I was surprised to see the Federal Trade Commission sharing space in the contest arena with legendary con-games such as Hacker Jeopardy, Hack Fortress (shout outs to team Jolly and Friends!), and MohawkCon. And the FTC wasn’t just offering free T-shirts to winners; up for grabs was $17,000 real money in prizes!

Zapping Rachel was the FTC’s contest to fight back against robocalls. This is actually the second time the FTC has held an open contest to fight back against robocalls, those annoying mechanical solicitations that inevitably disrupt you during dinner, or your favorite show or something better. They illegally call you after you’ve opted into the Do Not Call Registry and worse yet call you on your cell phone: Who does that?

The FTC’s first anti-robocall challenge resulted in a product called Nomorobo. Even so, FTC staffers “still receive approximately 150,000 complaints about robocalls every month,” said agency spokeswoman Cheryl Warner, adding: “Clearly the robocall problem is still plaguing consumers.”

This year the FTC broke its challenge into three parts:

  1. Creator: Contestants were tasked to build a robocall honeypot. A honeypot is standard weapon in the anti-hack arsenal. The idea being to have an object: a computer; a person; or in this case telephone number; that acts as the bait for the bad guys (or gals, to be perfectly non-sexist about it). In this case the FTC was interested in identifying when the no-goods were spoofing caller ID numbers.
  2. Attacker: The attacker teams had to design and implement systems to fool and otherwise attack theoretical Creator honeypot systems.
  3. Detective: Upon receiving data from a Creator honeypot, detectives had analyze the data to identify robocallers and attackers.

How well did everyone do? The official announcements are still to come from the FTC. But, said Warner: “While we had 21 registered contestants for [Creator], and maxed registration for [Attacker] (at 25 contestants) and [Detective] (at 50 contestants), we ultimately received 1 submission for [Creator], 1 submission for [Attacker], and 11 submissions for [Detective].”

It’s was a nice attempt to reach out to the hacker community but i feel that they could have done it better. The FTC only announced the contest a month and a half before the conference. And once registration opened the first segment was over in a day and everything was over a day after that. Not really enough time to collaborate with new friends and strangers. In fact barely enough time to get through the epically and I mean epically long registration line.

So not so great. But the ideas! The FTC hope to continue its relationship with the DEFCON community in the future. Maybe next year the FTC will ask for help tackling telephone and mobile service complaints or anything else on their giant complaints list.