War Games: Will You Capture or Hoist the Flag?

Posted on January 15, 2009

War Games

image credit (with permission): Matthew Michael Stits

Have you ever taken part in a Capture the Flag (CTF) hacking event?

CTF is an intense and at times wholly frustrating experience. Some of the qualities you need include a technical and/or tactical bent, a puzzle solving mindset, competitive tendencies, mental and physical stamina and a mini fridge stuffed with Red Bull.

Every year at Defcon, the CTF contest takes place over a 2 day period. For many this won’t be news - what is new is that a rare opportunity has just opened up. You and your friends have a chance to be the group running the CTF. That’s right, you could be the team that designs, develops, deploys and runs the contest in Vegas.

All things must change, and after years of hard work and consistent advances Kenshoto has decided that it is time to let someone else have a chance to run CTF. We will forever miss their crazy videos and clever configurations. After taking it to the next level, creating a spectator sport out of geeks sitting at their keyboards 0wning machines, and helping CTF gain fabulous recognition around the world, Kenshoto has officially retired as the organizer and hosts of DEFCON’s CTF. The contest is not over, merely in transition to the next keepers of the flame. This is the opportunity you and your crew, company, or government have been waiting for!

You too can pour your heart, countless thousands of hours into planning, producing, and executing the world’s most famous contest of hacking skills. All of the contests at DEFCON are run by volunteers, and CTF is no different.

My intent is to make a game that’s fun for its participants. Kenshoto did a fabulous job of allowing CTF to be a team and spectators sport through scoring visualizations, commentators, game updates. They took it to a new level in one area, and you can take it to another. The heart of hacking has many facets!

CTF is made of many parts from the actual teams, the organizers, observers, third party supporters, the press, con attendees wanting in on some action, and those newbies wondering WTF.

If you have ever participated in a CTF and found yourself disagreeing with the way it was run or walking away with lots of nifty ideas for how you’d run one, now’s your chance to put those ideas into action at Defcon in Vegas. Find out more at the Defcon 17 blog. Deadline for submitting your concept is the 28th February.

What If I’m Not Ready To Lead

Now, if you’ve never participated in a CTF contest and you enjoy attack and defense then I highly recommend you consider taking part in one. It doesn’t have to be Defcon, although that would give you an unforgettable experience that few can claim.

I see CTF as an excellent opportunity to learn more about yourself. You can’t beat the cut and thrust of a live, competitive event to help you discover your strengths and weaknesses and to experiment with different tactics. If you play in a team you stand to get even more from it as you learn from your peers (and they learn from you). What you learn may surprise you. Everyone brings something unique to the table and you may find some of your assumptions about the caliber of other players challenged (for better or worse). Oh, and don’t think you have to an uber-hacker to take part - you don’t. Sometimes our feelings of pride or perfectionism stop us from taking part in the very things that we stand to gain the most from. As they saying goes: ‘Get over it’ :P.

The Side Benefit of CTF That Few People Talk About

Oh, and did I mention the benefit CTF has on your CV/resume?

To a hiring manager faced with inexperienced candidates applying for an entry level penetration testing position, it demonstrates you have experience dealing with emotions frequently accompanying a pen-test. Reading tech books and RFCs is vital, practicing your hands on skills on your home test lab is beneficial, attending conferences to learn new techniques is great but the real winner is demonstrating you can apply what you learn in the face of real-world constraints.

Your CTF experiences are a great talking point for the interview - especially if you are fresh out of college and have little real world experience to point to. Besides, any hiring manager worth their salt is going to give you a hands-on technical challenge as part of the recruitment process. Does that sound stressful? It should do - its not just your technical skills that are under scrutiny. It’s your ability to assess a situation, make decisions and act on them within a timeframe you may feel is insufficient and with less information than you’d ideally like. In other words, its a lot like real world penetration tests (and Incident Response!).

Participating in CTF gives you an edge on those candidates that have never had their back to the wall trying to answer 3 questions: Which target? What tactic? Which tool/exploit? That is when you lean on your CTF experience and help them decide that your name belongs on their shortlist.

Posted in ctf | View Comments