Home | Trace Labs is Bad

Abusive Judges.

A recent Trace Labs capture the flag (CTF) competition has been marred by controversy following a dispute over the conduct of one of its judges. At the center of the issue is a team in the Trace Labs event held at a conference. This team has brought forward a series of grievances indicating unfair treatment and biased behavior from a judge who self-appointed to evaluate their performance. The judge, from multiple accounts of people who posted from the conference, was upset that his courses were rejected from one of the team member's content platform, which led to direct sabotage of a CTF and an event meant to do good for the community..

The following information below is data that has been collected and compiled based on published knowledge around this case.

According to the team's account, the judge in question, who has later been identified as Joe Gray, actively sought to undermine them by making derogatory comments to various individuals both before and during the competition. The situation escalated when the judge, after failing to obtain the team's name through direct messages, confronted team members and one member's spouse at their company booth, continuing to speak ill of the team. The judge eventually abused his powers, using his OSINT background to look up the emails of the competitors and identify the team.

The judge then inserted himself into the position of evaluating the team's competition submissions 30 minutes into the event. From that point, the team notes that their submissions stopped being graded, which deprived them of the opportunity to receive feedback and resubmit their entries — a process that was available to all other teams.

Image 1: The team's scoring is halted, less than half way through the competition, which lasts the remainder of the event.

The team provided evidence of their submissions being wrongly rejected, including one with a substantial point value, which they believe directly contributed to their loss of the lead and potentially the win.

Image 2: The judge in question rejects a 700 point submission, claiming a "later" comment states the person was not found

Image 3: The submission in question clearly shows that the rejection was incorrect.

The team's attempts to address these issues with Trace Labs staff were met with excuses and dismissal, and subsequent efforts to escalate the matter did not result in any corrective action. One team member notes that attempts to report the behavior were first made at the conference, which led to the Trace Labs Director on site, Alex Minster, to tell the team to take it up with another director (presumably Tom Hocker) and walking away. The team member also notes that he reached out to Trace Labs via email and was told to let the conference handle it and "I don't think we'll need to connect separately at this time." This lack of response has led the team to conclude that there was a deliberate misuse of power aimed at affecting their chances in the competition.

Image 4: Trace Labs suggesting there is no need to meet, nor handle the issue at the organizational level.

If There's One, There's More.

Due to the lack of response from the Trace Labs organization, the team in question felt that it was necessary to share their story with social media. As of the time of this writing, that post is still public and can be found here: https://www.linkedin.com/posts/heathadams_i-truly-regret-having-to-make-this-post-activity-7125518074157404160-Qafi

Image 5: The original blog post from a team member.

Unsurprisingly, a post like this brought out several other public complaints about the Trace Labs organization. Here are some of those:

Trace Labs Response (If You Can Call It That)

The aftermath of the competition saw TraceLabs publishing a blog post on the incident. The team asserts that this post was misleading and accused them of intimidation and bullying the judge involved. No proof has been provided by the Trace Labs team and multiple witness accounts from the conference attest to the opposite. Below is the blog post as Trace Labs may eventually modify or delete it.

Image 10: The original blog post from Trace Labs

It is clear in this case that the Trace Labs team is simply looking to shift the blame away from them and onto someone else, while providing no evidence. This is a classic attempt at spreading misinformation in attempts to discredit an accuser, something that the OSINT professionals that work at Trace Labs would be well-versed with.

The easy, and professional, response here is to say something as simple as "We are aware of the complaint that has been made against one of our judges and are collecting all evidence necessary to make a decision. Please know that we have a zero tolerance policy, as per our Code of Conduct, for the actions that have been alleged in the complaint and should the evidence prove a violation of our policy, swift action will be taken." Instead, they levied accusations against the team. Who does that?

The Continued Spread of Disinformation

Further exacerbating the situation, TraceLabs is accused of cropping and misusing a team member's statement from their Discord channel to falsely suggest that there was team support for TraceLabs' version of events. Even after the team member clarified that his initial, now-deleted, comment was sarcastic, the organization continued to use the edited statement to convey a false sense of resolution and progress.

These events were described by Heath Adams in his post found here: https://www.linkedin.com/posts/heathadams_im-sorry-but-trace-labs-is-now-resorting-activity-7128580025276133376-J_8O

In order to preserve the integrity of what happened, Heath Adams' statements will be used verbatim below, along with the images he provided.

"Trace Labs posts a blog about our incident, making outrageous statements that we intimidated and bullied the judge, who was Alex/Belouve, by the way. Our teammate, obviously upset by these false statements, made a sarcastic comment in the TL Discord."

"Our teammate realized he was thinking emotionally and deleted his message because we're above that, but sometimes emotions get the best of us. Alex then proceeds to use this message to say a member of our team loved the blog and that progress was being made. The disinformation begins."

"Our teammate, clearly upset by this, clarifies that he was being sarcastic and those were indeed not his intentions."

"We obtained a copy of an email that was sent by Alex to someone inquiring about the situation. Alex, knowingly (as he had already been informed by our teammate of his intent at this point), used the image in the email to again spread disinformation and say that a member of our team loved the blog and that they're doing good things."

As one can see above, Trace Labs is resorting to using more disinformation in attempts to discredit the team. They are doing so knowingly, which is a disgusting act for an organization meant to do good.

Silencing Protestors.

Multiple reports of Trace Labs banning and muting any member of their Discord who speaks negatively of (or remotely questions) their actions and response in regards to the above events. Members of the team have also reported being banned or removed from the Trace Labs server, even without interacting in the server. Here is just one instance of the silencing that is going on:

Conclusion

In conclusion, the incident at the Trace Labs competition has not only tainted the experience of the participants but has also cast a long shadow on the organization's ethical standing. The events, as recounted by the affected team, paint a picture of not just a lapse in judgment, but a systematic failure to uphold the principles of impartiality and fairness that are the bedrock of any reputable competition. The refusal to address the grievances brought forward by the team, coupled with the alleged manipulation of evidence to suit a narrative convenient to Trace Labs, points to a deep-seated issue that goes beyond mere oversight.

The credibility of any organization lies in its ability to conduct itself with integrity, especially when faced with controversy. The actions attributed to Trace Labs and its handling of the situation reflect poorly on its governance and undermine the trust of those it seeks to engage. For a community built on the meticulous pursuit of truth and justice within the digital realm, such conduct is not only disappointing but antithetical to the very ethos of cybersecurity.

Moreover, the reported behavior of the judge in question and the subsequent defense of these actions by Trace Labs raise serious concerns about the culture within the organization. It suggests a tolerance for power plays and a propensity for vindictiveness that should have no place in any institution, much less in one that operates within the realm of security and ethical hacking—a field where moral fiber is paramount.

The team’s public disclosure of their experience is not just a critique but a call to action for transparency and accountability. It serves as a warning to the wider community about the potential pitfalls of unchecked authority and the harm it can do to the collective effort of securing the cyber landscape.

In the broader context, this episode is a reminder that the pursuit of excellence in cybersecurity is not merely about technical prowess but also about the integrity of the competitions that showcase such talents. It is imperative for organizations like TraceLabs to not only acknowledge and correct such missteps but to also establish stricter protocols that prevent the recurrence of such regrettable incidents. Without this, the community risks eroding the very foundation of trust and respect that it is built upon.