Vamosi: Like a lot of you, I run marathons. Thirteen by my last count. But it wasn’t until I was watching Britney Runs A Marathon, a critically acclaimed 2019 film, that it occurred to me that people who don’t run 5Ks, 10Ks or full-on marathons are under the mistaken impression that I might be running to WIN the race. I am not. I’m training and running the marathon to improve my health, to improve my own personal record. And, yeah, maybe to brag a little about my sub-4-hour Boston qualifying competition times.
Hacking has an event that’s similar. They’re called Capture the Flag competitions. Yeah, there are winners, and some even walk away with sizable prize money or a black badge for future DEF CONs, but a majority have no such ambitions. They’re there also to challenge themselves and to learn new skills. Understandably, like running, there’s also a culture around CTFS.
Go to CTFtime.org and there you will find a long list of CTFs There’s one practically every weekend, and there you’ll see all the teams. You can even drill down and see the names of individual players. And there are points assigned for each competition. Some people just don’t have many points, and that’s okay. The point, I think, with all these CTFs is that people are teaching themselves, through these games, how to be better hackers. In fact, some are designed only to teach you, through gamification, and you can learn specific skills like how to reverse engineer binaries.
At the very least, Capture the Flag challenges you to solve complex problems creatively, in the moment, sometimes without a lot of contexts. That’s something that’s true in the real world. And it’s something that is often missing in computer science programs--creativity. Okay, so how do you learn to think outside the box and become an elite hacker? Stick around and find out.
Vamosi: Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about people who hack for a living. I’m Robert Vamosi and this episode I am going back to the beginning, way back to episode one, to look at how various hackers I’ve interviewed on this show got their start. Most got started by competing in capture the flags.
Vamosi: So how do you become a legit elite hacker? For a lot of people that path starts with games, often computer games. I’m sure there are gamers who see themselves as coding better, or perhaps finding cheats, but what I’m thinking about are instructional games. These computers capture the flag events which are loosely based on the children’s game. Here’s John Hammond from EP 13 to better explain what I mean.
Hammond: I tend to, I guess, try and explain capture the flag is sort of gamified cybersecurity education. It's working through activities, and exercises and challenges really is kind of the real term, but small puzzles that will help you get in the weeds and really solve a technical problem with real application-based hands-on learning to test and learn your cybersecurity skill, whether it's memory forensics, or cryptography, or web application security or even like binary exploitation, or other tricks and steganography miscellaneous kind of red team operations and it covers a lot. And that's kind of what I try to explain to people and if you have an interest in computers and you should play Capture the Flag, because you can learn so much just by tinkering just by playing and having fun.
Vamosi: There are two basic forms of Capture the Flag. We’ll start with Jeopardy, which is much like the game show, where you have a board with categories and challenges underneath each category each worth increasingly more points. Jeopardy is perhaps the most common, form of CTF.
Hammond: It's funny. Yeah, I think there's definitely a well-established Jeopardy style like flavor and style of capture the flag. Jeopardy, I think, is the whole gamut. Truthfully, it's a mixture of everything and it yeah you can pick and choose what category you might be interested in, or you might have a special specialty in, say, hey, you're really sharp on forensics, but another person or another individual on your team is super sharp in binary exploitation. So they want to tackle that category. Or you can kind of be a jack of all trades and learn as much as you can be really well-rounded. but I think either style of gameplay fosters a lot of collaboration and teamwork. So, sure, if your buddy is super smart, in one aspect, you can learn from them, and they can learn from you. It's kind of a community and really cool culture.
Vamosi: And then there’s Attack and Defend or King of the Hill, that’s the version of CTF you see at DEF CON. It’s exciting because it best mirrors the world of pen testing and hacking on a red or blue team.
Hammond: I think the second one, which most people consider is the second flavor, is Attack and Defense. It's kind of like a live game between a red team or a blue team, maybe in that sense of the two v two, or multiple teams that have their own services they have to kind of maintain and make sure they are up and available, but those have flaws and gimmicks or bugs and another team that has the same vulnerability that they might need to maintain and, but you can also go on the offensive so not only defend attack and defense but also attack right go on the offensive and beat up the other players
Vamosi: So, to become a 1337 hacker, most people have some idea they want to work with computers someday. Not everyone, though, is immediately directed or driven toward playing CTFs, although that is in fact how they got their start. Some, like Adam Van Prooyan, just kind of wandered into that path, in part because he was interested in computers, and also because the West Point Military Academy just happened to have a CTF team that competes in the annual Cyberstakes competition. I talk more about CyberStakes in Episode One
Van Prooyan: So, When I kinda was, there was kind of this idea of like different clubs there, and I was really interested in computers. So I just joined the only Computer Club there was, which happened to be CTT, the cadet competitive cyber team. And so, as part of that, they kind of had this tryouts CTF that they put together. So that was my first CTF. I did pretty well on that because I had that computer screen support, it wasn't designed to be too hard. So I made the team and then we did some other you know obviously ETFs that we're not cyber six and then probably half of the year. Cyber 600 and that was. So, I apologize. I'm using a different set
Vamosi: So, not everyone is in a military academy. So perhaps a better example is Zarata, who we met in EPISODE TWO. Her beginnings were more bit more common. A good school, a good teacher.
Zarata: Uh, I okay so back in middle school, I was fortunate enough to be in a I guess it was magnet program like a STEM program. And so I had a lot of experience kind of doing CES tech stuff for a while. So by the time I got to high school, I kind of felt very on top of like a lot of tech stuff and I kind of wanted to expand out and explore more my computer science teacher at the time was very encouraging I guess to kind of try different things. And so he founds this competition called CSAW HSF which is high school forensics. Essentially he was like, You should go try that. And I like looked at it I was like, oh it's hacking stuff you know that sounds pretty cool. But it was just like I don't really know how to hack, like I know how to like do basic programming, you know, since I've had like some experience in it, but at the time I was just like you know as cool as it sounds, I had no idea like what I'm getting myself into.
Vamosi: The Computer Science Annual Workshop or CSAW is a well-established CTF competition in New York. It’s sponsored by the NYU Center for Cybersecurity. It bills itself as the most comprehensive student-run cyber security event in the world, featuring nine individual hacking competitions, including CTFs. It is held conveniently over the course of one weekend. Like a lot of major CTFS, CSAW occurs over two rounds with an online Qualifying Round in September and a Final Round, usually live, in November. But, as Eyre, from EPISODE FOUR, notes, you don’t have to have your high school or university sponsor you at CSAW. You can be enterprising and go as your own team, which is what Eyre did.
Eyre: I did participate in CSAW but like as not from like a university team but from just like a small group of friends. And like we did not do that well, but like looking at the scoreboard. I saw that he was leading like the scoreboard and I was like, you know, wow that's that's pretty amazing and I was very much inspired to like learn their secrets.
Vamosi: I said there’s a culture in CTFs, and with that there are recognized leaders.PPP stands for Plaid Parliament of Pwning, which is the competitive team out of Carnegie Mellon University. PPP, over its nearly decade-long run, managed to win more DEF CON CTFs than any other team in history. Eyre became interested in CTF in part because of how well PPP performed at CSAW, and she became interested in how to join.
Eyre: Yeah. But yeah that was like my first introduction to PPP and I was like pretty much an outsider at that point. Um, so when I got a chance to go to Carnegie Mellon for my master's program that was like one of the first things I looked outside you know for these people. Like, how do I join because I was also interested in playing CTS. So, yeah, so that was like my foray .
Vamosi: But PPP isn’t the only CTF team, and CyberStakes, CSAW, and Plaid CTF aren’t the only CTFs. There’s something out there for everyone and every skill level. Hint: you don’t have to be in a military academy or college. You can be transitioning into the adult world.
Erye: Unknown 24:25 Uh, sure. So luckily CTS are very prolific. Now as opposed to like years ago. And there's a lot of CTS out there, CTF time is a good resource to see like all the CTF listings that are available for beginners I highly recommend to just like look for the more beginner-friendly CTF because when you jump into, like, the more advanced ones, it kind of gets like. You can get frustrated because there are a lot of things to, to learn and to understand insecurity, especially with like playing these types of games. So, if you're starting out, it's, it's a lot easier to like kind of filter down to like, the more beginner-friendly CTF, like, one, one that comes to mind is like Pico CTF which our team actually puts on like every year. So, I highly recommend going through that and also like some more games as well. So, like lots of things that are online stay online so you can practice and not just like during set amount of times.
Vamosi: After playing a lot of these CTFS, John Hammond of course has a few favorites.
Hammond: I've tried to participate as much as I can. And one game that I am really really fond of. It's the all-army cyber stakes. So I originally had kind of participated in cyber stakes, way back in 2015. I found cyber stakes back in 2015 at the service Academy at the Coast Guard for me, and the military cares a little bit more about like the security of stuff like sure it's cool, you can make this. But, can anyone break this, it's good versus evil kind of a make not just break and make that sort of idea. And I think at that point, it kind of originated as kind of a competition between all the military academies the service academies between West Point and Annapolis, and Coast Guard are in their forces in there. Now I think that just brought Merchant Marine in, but it's very very cool and very very fun,
Vamosi: CyberStakes is a bit unusual in that it runs for 10 consecutive days, allowing the players to go to work and school and then catch up and play at night. The general goal with Cyberstakes is to first and foremost to introduce and educate people with basic infosec skills.
Hammond: Because what I've seen all army cyber states do, at least in some of the recent games is they'll take a classic vulnerability they'll take kind of a well-known vulnerability that there's a lot of kind of decent understanding of and people know what they can identify, but they'll spin it on its head and add a little gimmick or little twist in there so you'll kind of have to do some creative thinking where my SQL injection works, but it only works because it's tracking whatever IP address on come from and oh I could somehow alter that or manipulate whatever header and field so that I could slowly squeeze in and then whatever I can run a command and call back from the server, etc etc. So rather than a cookie cutter or one equals one, just to kind of a one step at bare bone basics. Question or task of you, it becomes this more thorough complex. Critical Thinking exercise where you've got a couple of other hoops or things to work through some other hoops to jump through. And I think that's really really fun I like that extended complex problem to work through. But that's one that I really love and appreciate all army cyber steaks is great,
Vamosi: If you want to learn more, I covered the Cyberstakes in Episode One of The Hacker Mind. Here’s Adam VanProoyan again. So after graduating from West Point, Adam went out into the real world and found there really are more CTFs in the real world.
Van Prooyan: Yeah. Um, so, typically there's kind of like these well known CTS, and they're run by the same teams every year. So like, PPP does plaid CTF every year. I believe UC Santa Barbara does ICTF every year. So, different teams are kind of put on their own CTFs and everybody else plays.
Vamosi: There’s this website, CTFtime, and it lists literally all the CTFs. There’s practically one a week, if not more.
Hammond: It's funny, I think there's sort of a CTF season when kind of all the universities are kind of back in session Hey September the school year starting, and you'll see, yeah hey, some school XYZ is putting on a game or hey there's a conference going on and there's another event. Hey there, we got another competition rolling up kind of from some industry company organizations putting something on, it's incredible just about every weekend or close to it. There's so many you can kind of get your hands on and play.
Vamosi: So, given that there are a lot of great CTFs, what then is a good entry point for starting CTFs or information security for that matter?
Hammond: but for kind of the beginners kind of ones just getting started. newcomers that are interested in this field. I do give a lot of love to Pico CTF. I think that's become well known it's just what folks will point to and say hey if you're interested in Capture the Flag. This one is really great at holding your hand and just kind of getting you in the thick of it. Even if it's running simple Linux commands and just being in the command line to navigate around the file system, it'll get you started. And that's fantastic for to really just springboard someone into a great scene and culture.
Vamosi: Okay, PicoCTF, was started by PPP at CMU. But it was started to get people interested in competitive hacking by teaching them basic skills. And it’s free, and, really, it’s not just for kids. Here’s Megan Kearns from Episode 29
Kearns: And another thing, although picoCTF markets itself to the high school crowd. It's really open to everyone. We talk about being marketed I guess at high school students, but if the content wasn't so desperately needed. Then our only demographic would be high school students right our demographic is everybody anywhere, because of the content. This type of content just doesn't exist, even if you go through AP Computer Science, which is an amazing course, they don't really tackle cyber security. So getting cybersecurity education materials often comes with a price tag. And right now you can really set that price, anywhere you want, with Pico, it's free. It's designed by the security experts at Carnegie Mellon University, so it's kind of like a win-win for the world. So if you're an adult looking to change careers or just build on a skill set you already have, this is the perfect program because you can do it by yourself, and, and we don't know who you are, so we won't judge you,
Vamosi: Megan insists literally anyone can learn more about InfoSec, even those who might not have thought.
Kearns: Your grandmother has a cell phone in her pocket. She's carrying a computer around with her all the time, it's likely attached to the internet, many times a day. Right. She needs to have some sort of cyber awareness. So you know put her on picoCTF, she can learn terminology, she'll be an experienced hacker, along with you. I mean everyone needs this information.
Vamosi: Okay, DEF CON provides the penultimate CTF. The biggest and best-known CTF takes place during DEF CON, which takes place during the annual Hacker Summer Camp in Las Vegas each July or August. Founded in 1996 at DEF CON 4, the CTF competition pits up to fifteen teams against each other in a King of Hill-style competition. That means teams are not only attacking, they're defending their own servers at the same time, and scoring in various ways. The team with the highest score is King of the Hill. More practically, they win a DEF CON black badge which entitles them to attend DEF CON for free for the rest of their lives. Not bad. But not everyone can sign up for the DEF CON CTF. If DEFCON is in July or August, the qualifiers are in May or June.
Zarata: Qualifiers are a little difficult sometimes because of the timing. Historically the timing has usually overlapped with either graduation. Move-outs, final exams. Some of the combinations. So historically for the students on the team, it's been difficult to participate. Now that being said that doesn't, of course, stop, a lot of the students, but a lot of the qualification rounds sometimes are played more heavily by the graduate students who have graduated, rather than the current students, which I think is like flip flops for most other CTFs. If the timing is right then, I think most people play.
Vamosi: So even if you’ve made it through the qualifiers, there are other considerations--how many teammates do you bring with you? There’s a part that screams, bring everyone. But even with larger team sizes, it’s not always in the best interest to have more than enough
Zarata: But yeah, the final rounds, I think, are we're limited in terms of like money and like the ability to I guess when we're like working on problems for instance, if you have like 100 people working on a single problem, there's like a bottleneck of, I guess, how many people can efficiently work on that problem right. But there's also the issue of like, you don't want to people to be duplicating work, especially in something like DEF CON where you are dealing with many many different problems, some of which are live essentially kind of because like their attack, defense and so you need to be like watching like what's going on, constantly. You'd really don't want to be duplicating work so there is like a certain number of people that when you get past that you start either having issues or like people are duplicating work or maybe you have some people that don't really know like what's going on, or where they would fit in best. And then that becomes like an issue for them as well because they don't feel like they're contributing much right and we want people to feel like they're contributing.
Vamosi: Also, if you are aspiring to compete one day in the DEF CON CTF, be prepared to give up your entire DEF CON experience. There are so many rooms to visit, villages to participate in, and talks to queue up for. But for the many who do play DEF CON CTF, they never see any of that
Zarata: I have never done anything else at DEF CON and I've been three times I think I'm sure many of the other. For many of my other teammates I'm pretty sure we're in the same boat. Um, I think, like the most I've experienced is sitting on the CTF floor and then hearing like the other competitions going on, or maybe walking by the tinfoil hat contest or the fortress events. It's a little unfortunate because you know there's a lot of cool stuff there. But realistically I think like if we are doing the CTF we are doing the CTF and we are going to put all our focus in on that. And if you need a break and you want to like go do something else for a little bit that's fine but I think like everyone on the team is super dedicated to doing their best on the CTF. And so every, I think most people just spend their whole time doing that
Vamosi: So CTFs sounds like fun, and it sounds like you will learn from playing. But do CTFs have any real purpose in the world? I mean, being good at a CTF, is that a marketable skill?
Hammond: Yeah, no, I have screamed and I shout from the rooftops I try and sing the praises of capture the flag because it's such a great way to learn, and that there is motivation and seeing your name up on a leaderboard and no one you can solve just one more and you'll pass that person ahead of you. So you'll go and learn, and you'll go and study and research and Google around and try and solve whatever task is in front of you. It cultivates some real feeling of lifelong learning and companies right your employers, they kind of like that, they kind of want that if you've got this motivation is passion and drive. Seeing their people see their own personnel participate in Capture the Flag. I think that goes and proves to them that hey, then that individual is really dedicated and kind of loves this stuff, they, they want to get more and more of it, and they're happy to encourage that.
Vamosi: Eyre’s no longer a grad student; she’s out in the real world. And you can find some of her malware analysis on the Internet. But she still occasionally plays with her old team, PPP
Erye: So it's starting to be more of a hobby on the side. To be honest, I haven't been playing a whole lot lately because work is just like very consuming as of late, um, and together with like the COVID stuff is just like getting really hectic and I was like you know I need like some things to like, I need to let go of some things. So, Unfortunately, like some of the CTFs I don't get to participate in as much anymore, because there's a whole lot of them so there's one every weekend and that's just like way too much. So I try to pick and choose like which, which ones I get to join. And if I have time and I will. But for this particular DEF CON. I am I am playing. And it's looking like I may actually need to take like a day or two off, just because it's like the schedule, or for the actual CTF, but yeah balancing between work and CTF is starting to be a little hard maybe because like I'm also getting older right it's staying up late for like long um like a large amount of hours is not quite conducive when you have to like go back to work and like be sharp and be able to like to contribute to like the job
Vamosi: Important to note that s good as any CTF is, it’s not the real world. In the real world, you have to find the bug. In CTFs, sometimes the bug is right there in front of you. Here’s Tim Becker from Episode Seven.
Becker: Oh, actually, in CTFs it's more common that the bug is more or less obvious it at least in these challenges that are based on real world vulnerabilities. And it's more a test, and like an assessment of your ability to write the exploit for the bug. Um, so with respect to like learning tools for bug hunting. I wouldn't say that ctfs are the best way to learn that but there's certainly a good way to learn about different types of vulnerabilities that exist, and get practice with exploiting them
Vamosi: If this still sounds like just fun and games, playing Capture the Falg, remember that it’s also a chance to learn specific skills such as Use After Free, which is a surprisingly common vulnerability. It’s CWE 416, in case you’re wondering. Use After Free refers to the attempt to access memory after it has been freed or potentially result in the execution of arbitrary code.
Becker: I acquired most of my skills initially from Capture the Flag competitions, and especially lately. The capture the flags of becoming have been becoming more of real world. So a lot of the challenges in CTF now are based on real world vulnerabilities, or just actually real world vulnerabilities that are like now one day. So, if you want to get practice in writing exploits on real world software CTS are actually a very great way to learn that right now.
Vamosi: Still, it’s good to think about how you’ll fare in the world without your team to support you.
Zarata: Now as you graduate from college and you now are like in a workforce and you know you have like actual life, I guess, once again, it becomes a little more difficult to do CTFs, and especially because you know you're not with your friends and your teammates and it's just, it feels a little lonely sometimes and it becomes a lot harder to communicate more complex ideas, especially, especially when you're working on challenges. That being said, I think everyone on the team is super excited to be on the team. I think the knowledge that we learned is like incredible, and the friendships that we have on the team are also like great. And I think everyone is just like super excited to play DEF CON like even if they maybe don't show up to, ETFs, like, super often during the year, DEF CON is like the one thing that everyone is usually like okay we're gonna go and do like super well and meet up and stuff. Also because we get to see each other at least once a year, the other time being played CTF. The CTF that we run. Um, but yeah, and I think things like discord and, you know, anything else that you know bolts audio and video has been like helping a lot, it makes people a lot more interested in playing because they can see their teammates and they can, you know, pack pretty efficiently
So how does one become a hacker? Start by finding a CTF at your skill level. Some are great at teaching the basics. That’s why they exist. Others will start to challenge you. And, if you find others online and form a team, you can start to play competitively, and maybe make some money
Unknown 24:25 Uh, sure. So luckily CTS is very prolific. Now as opposed to like years ago. And there's a lot of CTS out there, CTF time is a good resource to see like all the CTF listings that are available for beginners I highly recommend just like look for the more beginner-friendly CTF because when you jump into, like, the more advanced ones, it kind of gets like. You can get frustrated because there are a lot of things to learn and understand insecurity, especially with like playing these types of games. So, if you're starting out, it's, it's a lot easier to like kind of filter down to like, the more beginner-friendly CTF, like, one, one that comes to mind is like Pico CTF which our team actually puts on like every year. So, I highly recommend going through that and also like some more games as well. So, like lots of things that are online that stay online so you can practice and not just like during a set amount of times
Vamosi: And where might all this competitive hacking be heading in the future?
Hammond: I have a lot of folks that asked me kind of from the other stuff that I do is like, do you think hey hacking and capture the flag will ever turn into this eSports thing where we've got a spectator sport, and just like gaming just like hey, someone might stream, World of Warcraft or League of Legends or whatever. Will people stream, playing Capture the Flag, and will that hacking become a sport, much like gaming has now. And truthfully, I think it will. I think that would be very cool and I'm excited and looking forward for that day. I don't think we're there yet. We might we got to get a lot more people interested in kind of in the scene, but I definitely agree that it aligns really well with gaming, because it is something to play and tinker with. So, yes, you've got your hacker mindset, and you've got your gamer mindset where you want to compete and you want to explore and play. So definitely I think it strikes a chord with both