The Hacker Mind Podcast: Learn Competitive Hacking with picoCTF

Robert Vamosi
September 10, 2021
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

PPP wanted to give their past high school selves the infosec education they didn’t have. But if you think picoCTF is only for high school students, think again. 

Megan Kerns of Carnegie-Mellon University joins The Hacker Mind to talk about the early days and the continued evolution of this popular online infosec competition site. No matter what your age or interest level, picoCTF has something for you to learn.

Vamosi:  For some of us, it's back to school time. in InfoSec however, learning happens 365 days a year. I mean, there's always something new to learn. But what about the basics? That's often a matter of backfill. As you come upon something you learn it in the moment. At least, that's been my experience. But what if you want or need a more formal introduction to the basics of say, digital forensics. There's been a lot of emphasis lately on gamification. You walk so many steps and Fitbit rewards you with a badge or compares your workout with someone else. So there's some motivation to keep you pushing forward. And then there's just research, that too is part of learning. For example, when learning a new subject area. And if you're going for a certification like CISSP Computer Information Systems Security Professional, you'll need to have a breadth of experience across multiple domains. So while you may be particularly skilled in security architecture and engineering. How are you with identity access and management, considering all of these gamification, research, and breadth of knowledge. It seems that preparing for, or even playing a game of capture the flag, might be a great way to expose any educational gaps, if not generally improve and deepen the security skills, you might already possess. In a moment we'll hear from someone. One of the best known starters CTF. Learn how even someone mid career in security can play on their own, and even fill in gaps on their own learning, all year round.


Vamosi: Welcome to the hacker mind, and original podcast from for all secure, it's about challenging our expectations about the people who hack for a living. I'm Robert Vamosi, and in this episode I'm talking about pico CTF, one of the best known CTS for people entering the field, and even for those among us looking to grow their personal knowledge. It's an online resource built by hackers for hackers.


Vamosi: So in this episode, we're going to be talking a lot about Capture the Flag, not the children's game of course, but the information security game, we're going to talk about the Jeopardy style CTF, which like the TV game show has six categories of questions, with varying degrees of difficulty. Over the last year, I kept running cross references to one Jeopardy style CTF in particular. So I called up someone from pico CTF, to learn more.

Kearns: My name is Megan Kearns and I am the project manager for picoCTF, it's developed in CMU, out of the CyLab security and privacy Institute and I've been with CMU for 10 years, and I worked in silos, for all of those 10 years, doing different things. 

Vamosi: Carnegie Mellon is one of the best known US universities for Computer Science and Electrical Engineering. CMU has produced some amazing InfoSec research over the years. So what is CyLab

Kearns: CyLab is a research department at the University, and it campuses all departments of the university that are interested in security or privacy research. And so it was developed in 2003 I think it was launched, the Dean of the College of Engineering at the time had launched this place where cyber security research could be done. And so we don't have faculty that are home department CyLab or students that are home department CyLab you belong to other departments, you do your research on security and privacy and CyLab. 

Vamosi: One thing you'll pick up quickly about Megan is that she embodies a real enthusiasm for her job

Kearns: I love pico so much I just always want to talk about it. 

Vamosi: Part of that excitement comes from engaging with people to nurture or encourage their curiosity in InfoSec, 

Kearns: That's what we want to do, that's it this is just the way, this is the thing that we're trying to do and you. I've never been good at math. I'm not really that into computers, I'm not a gamer. Okay, we'll take you, because you likely have an aptitude for this. Cybersecurity is like the wild wild west I always say, you know, it's just so vast, there's so many opportunities there and we just want people to realize that it doesn't matter what your background is, I'm the walking case for this right, it does not matter what your background is,

Vamosi:  This nurturing of curiosity starts to get to the underlying hacker mindset, this idea that you don't have to be in computer science to be good at InfoSec,

Kearns: It’s more than just math and science. And so people with really creative backgrounds tend to do well because they think differently. And they attack the problem differently. And that's useful when you're hacking, that's what hackers need to be right they need to be creative. And if you're defending an offender, then you need to be a little, even a little more creative, right because they don't have anything but time to attack you, you typically don't have a lot of time to defend yourself.

Vamosi:  That's why Megan is a champion of online self learning programs such as pico CTF,

Kearns: You shouldn't think this isn't for me because I like a different subject, you should just try it anyway, we're just trying to spark curiosity we just want you to have the opportunity to gain a little experience in this area. And even if a 13 year old says I don't like this, that same 13 year old at 18 may think, oh my gosh, why didn't I like this? I love it.  And 40 year old, I mean, anybody even just interested in learning, or changing careers.

Kearns:  And another thing, although picoCTF markets itself to the high school crowd. It's really open to everyone. We talk about being marketed I guess at high school students, but if the content wasn't so desperately needed. Then our only demographic would be high school students right our demographic is everybody anywhere, because the content. This type of content just doesn't exist, even if you go through AP Computer Science, which is an amazing course, they don't really tackle cyber security. So getting cybersecurity education materials often comes with a price tag. And right now you can really set that price, anywhere you want, with Pico, it's free. It's designed by the security experts at Carnegie Mellon University, so it's kind of like a win-win for the world. So if you're an adult looking to change careers or just build on a skill set you already have, this is the perfect program because you can do it by yourself, and, and we don't know who you are, so we won't judge you,

Vamosi: Megan insists anyone she says literally anyone can learn more about InfoSec.

Kearns:  Your grandmother has a cell phone in her pocket. She's carrying a computer around with her all the time, it's likely attached to the internet, many times a day. Right. She needs to have some sort of cyber awareness. So you know put her on picoCTF, she can learn terminology, she'll be an experienced hacker, along with you. I mean everyone needs this information.


Vamosi:  Quick disclaimer here before we get too far, Dr David Bromley is a professor of Electrical and Computer Engineering at Carnegie Mellon University. He is a co-founder and CEO of ForAllSecure a sponsor of this podcast. He's also a past director of CyLab, but for our purposes here, he's the founder of picoCTF, and he's the founder of the Plaid Parliament of Pwning and as a consequence, they are perhaps the most famous alumni of picoCTF, how much more famous Are you the PPP formed the 2009 PPP is comprised of undergraduates, graduates students, and alumni of CMU. PPP competes internationally in many of the top competitions against many of the top competitors. They began competing at DEF CON CTF, in 2010, and won first place in 2013 2014 2016 2017 and 2019.

Kearns:  Yeah, that was the winningest team in DEF CON history. I just want to make people understand that the students. A lot of them came to the university, came to cybersecurity through picoCTF. So now they're giving back, that's one of the parts of the story that's my favorite is when you, when I personally meet a how you meet a college student who's like I played pico in high school, and now here I am, and I raised some challenges or can I do something with B going. And that whole idea about giving back. It kind of goes unnoticed. We should probably write a story about how generous. Our students have been. They recognize the value in the program and they give back willingly, and then they go off and they either win first or second place at DEF CON, and their skill set is incredible. I look at them as the same as I would any other professional athletes, their skill set is undeniable. 

Vamosi:  Yeah, I could see how someone might rank individual members of PPP on par with professional athletes, they may not win every game, but watching them play is simply amazing. So, given that picoCTF was initially designed to be a pipeline for PPP talent. How did pico CTF get started 2013 Well I guess technically 2012. Dr. David Bromley and his students decided that the best way to make sure they had a pipeline for PPP, and competitive hackers was to reach back into high schools and educate students on what cyber security is, how much fun it can be and then give them a free and accessible platform to test their skills. And so the first one launched in 2013, and I believe they had 6000 students and teachers involved in that one and it's just, it was a brilliant idea. It was a need that I'm not sure everybody realized they needed. And it was a salute it's you know it's part of a solution to a problem and it's just grown exponentially. We have over 105,000 users currently on the platform.

Vamosi:  What I'm wondering is what happened that very first year about 6000 people participated. How did the word get out, or was there a pent up need for information like this and picoCTF just happened to satisfy that need.

Kearns:  Yeah, I wish I knew the answer that team would like me to give, but I really think it's just from David Bromley and his students on PPP, understanding that they had a fine that this content on there, to become competitive hackers right. And so if they could give it out to their former selves, their past high school selves like this is the thing that they wish they had so they built that, and I can't really find any history of any like targeted marketing strategy there it was kind of like they built it and they came. And we really don't spend a lot of money on marketing because we don't have it, people just keep coming, I don't know where they come from, they just word of mouth has been our best friend we have an amazing community now on Discord, some of the best people in the world are on Discord they help each other, they spread the word. They give us immediate feedback, they just make us better.

Vamosi:  There are other starters CTS, we heard from Zaratec in Episode 2, who, before she played on PPP, started out by playing CTFs at CSAW, a competition now in its 19th year. The Cybersecurity Awareness Worldwide or CSAW is organized by the New York University's Center for cybersecurity and builds itself is one of the most comprehensive student run cybersecurity events in the world, featuring at least eight cyber competitions, workshops, and industry events. So how does picoCTF compare with something like seesaw.

Kearns:  Yeah, so picoCTF is kind of unique. And there's many other programs that I guess there's not that many. But there are other programs that offer cybersecurity education but where pico kind of fills, where it's niche, is that we're really, we're free and open and accessible on the web right so everything is web based, so you really don't need a lot of software. You don't need to download things you don't have to worry, you can use a lot of web based tools as well. And you can get started at pico so you can do it at your own pace, competitions are a thing that we do, but it's available 365 days a year, so you can build at your own pace, and it's virtually all online, we don't do any in house training, so you don't have to join anything your parents don't have to drive you somewhere to play. And we have been successful at teaching young minds how to be competitive hackers. Right and coming out with a real skill set at the end so I think that's what makes us unique, and it's kind of a niche thing,

Vamosi:  As we heard, PPP is a central part of the origin of picoCTF. But let's be clear. PPP is a separate organization. For example, doing well in pico CTF, does not mean that you get to play, or even try out for PPP, right,

Kearns:  right, yeah, I'm not gonna, I'm not promising anybody a spot on PPV. Yeah, so one of the things when picoCTF really took off and started to grow. It needs staff to manage it right. It's not the responsibility of a student who's working towards, whether it's an undergraduate or graduate degree, to take on the responsibility of managing and maintaining and growing picoCTF. So when that when I, when I came in that was the goal right it's like staff pico, make sure that it's sustainable make sure that it continues to grow and meet the needs, but we can't deny the importance of students right they're they're really important to the growth and to the success of because if you if they're the ones doing in the current work right there the innovators, so students who may be on PPP do provide challenges and content to pico but that doesn't guarantee you those two things are still separate Yes. And, you know, being successful in pico may get some of the attention of the students on PvP but it doesn't mean you're going to be on PvP. And also, pico is not the responsibility of PPP.


Vamosi:  So what is a Jeopardy style CTF. Well, it's organized like the TV game show, you have categories across the board, and within each category are questions that are progressively worth more and more points.

Kearns:  So for us, we typically have six categories. Binary exploitation web exploitation. Forensics cryptography. We have something called general skills, that is a little deceptive we're, we're really considering breaking that out, too, because we look at general skills internally as more intro but I don't think externally people really see it that way. I think sometimes people come thinking it's going to be like cyber hygiene and we really don't do that we do more of, you know, cybersecurity engineering. So, yeah. And we have a lot of research that we're doing on those other areas so I anticipate our categories will expand in the near future here as the research and development on those come to a point where they can be launched publicly. 

Vamosi:  Okay, we have six categories across the board. So how many levels does picoCTF, go down.

Kearns:  So the nice thing about working on a project like picoCTF is you can experiment, pretty much all the time, with the way you do things so we don't really, we haven't been doing levels for a while, we kind of originally had like this intro level and intermediate level and a advanced level and those challenges kind of unlocked as you went along. The last CTF that we released and the way that the gym is set up is that you can really jump around and solve any challenges you think look interesting. And although we do assign points to each challenge, we kind of judge how difficult the challenge is going to be based on the number of points that it has. We go back and forth between doing like a real level UX and kind of this open, free for all.

Vamosi:  So the game of capture the flag includes a flag. It is hidden somewhere in the puzzle in the code, but how that flag manifests itself might depend on the challenge.

Kearns:  So typically, you're presented with an issue that you have to solve. And, you know, one of the things that make us unique is we do this kind of offensive and defensive hacking. And so you're presented with a challenge, your answer comes in the form of a flag, a picoCTF, we're, we let you know ahead of time your flag is gonna say Pico, and it's gonna be in curly braces, but you're gonna have to find your flag somewhere and that might be, you know, downloading a file, or, you know, coding your way through a website or so, you know, there's different ways reverse engineering using reverse engineering tool figure out which tool you need to use for that. There's a lot where we're lucky that the world is developing a lot of web based tools. So it makes it more compatible for picoCTF. And then if you find your flag, where you think you've got your flag, you enter it in to the shell that we provide, and you get an immediate response right because it's an auto grader at heart, the software. And so you immediately know whether you're right or wrong. That said, hackers will be hackers. Part of hacking is using critical and creative thinking, to figure out what you're, you know, to read what your problem is and trying to find that solution and your solution comes in the form of a flag. I will tell you, like kind of insider information, that, especially during a competition, we get 10s of 10s of comments that say, I know I have the right flag, and it won't accept it. I think this challenge is broken. And it's always so sad for me to reply. Oh, you're so close but you don't have the flag, and when you see somebody is one character off, you're like, Ah, I can't help you, but it's so sad.

Vamosi:  One of the things that makes pico CTF different is that it's available 365 days in an average year

Kearns:  previously between 2013 and 2019, we released everything brand new a brand new platform, brand new challenges, brand new education content. At the time we released the CTF right. And so that was either, it shifted between spring and fall semesters. What we did in 2020 is release a brand new platform. And so that platform is now available, like you said 365,

Vamosi: The open source CTF platform is by itself. Kind of cool what it represents is the content of the Jeopardy board, but also the back end that keeps track of the points earned by each contestant. If you think putting on a CTF is a relatively trivial task in Episode 13 I talked with John Hammond, about his extensive experience both playing, and creating CTF 's. He said that having an open source platform already built and ready to use is half the challenge right they're more

Kearns:  innovative, of our educators. They can use the open source. That's another thing that we inherited that David has been very serious about is maintaining this open source piece so that people can use it. I do know that people have used it to run their own CPS. We also have an open source channel on Discord so that people can talk to us when they need help. We don't like, work for hire and we can't always be there but we do try to help people use it. However, you know, the content is really our bread and butter.

Vamosi:  Speaking of content, making said it's a year long process. Now that PPP has satisfied some of their basic things such as what they wanted to learn when they were younger. Where is pico CTF getting its new content from

Kearns:  Yeah, new content is developed constantly, and we actually, we do get a lot of students, developers, student writers, you know a lot of the students that are on PPP do contribute challenges. We do get some external help too. There are some people like us who have a very strong connection with the Air Force Academy. So some of their graduates often write challenges for us, but we have a lead, education, developer here on the team now Luke Jones, so he, he's tasked with making sure we have education content that usually comes out in the form of challenges because they do take your average challenge takes about a week to write, if you look at it like that, so the harder the challenges, the longer it's going to take to develop write test develop hints for because our, our problems do have hints, typically to help people understand the challenge so they know where to go about looking to solve, or looking for their flag. So we do develop content, you know, year round. And we are just tapping fast sometimes we get lucky like a faculty member who says like hey, let me contribute something. But, yeah, we rely on students, and students are amazing, because they freely give up their time, and it's always interesting to me to see how excited people are to write, or contribute to challenges that they've been working on. 

Vamosi:  Given this is an iterative process, they still maintain their annual competition.

Kearns:  What we do is now we occasionally launch CTS, sometimes a much smaller version, which is a picoMini, or the larger annual CTF of that one though is being released in the spring now. So released one in March 21 and we will release it in March 22 that's directly feedback feedback we got directly from teachers and students who have a lot going on the fall, and would like the fall semester, to build up their understanding of concepts before they enter so the main competition the largest one that we launched in the spring. I mean that's reliable right, you know we're gonna launch it in the spring, the mini competitions, they're kind of pop up style, and they're much fewer challenges and we can actually be more selective or even theme. Those minis. And so they're really there for fun, right, like that's just for fun.

Vamosi:  Themes are cool, especially in a Jeopardy style CTF, you might have all the questions related to say cryptocurrency.

Kearns:  So we've only done three pico minis. But we are going to drop an introductory pico CTF mini in the winter. And so this will be strictly introductory challenges. This is for anyone who has no experience with a CTF, you don't know what it is you've looked at the challenges in the pico gym and you're thought, gosh these are kind of hard like I don't even know what to do here. This one is really for you right, we have this big middle school following, we have a decent number of middle school kids and they do really well right I know they're our future bosses just accept it. And so really what we're thinking like what can we give up, and what can we give anybody who we say you need no experience to come to picoCTF and then you get there and when you find the challenges are difficult, you're kind of disappointed. What can we do for you and so theming it around introductory, I think, you know, we really believe is the way to go here, give people a taste of what a CTF is really like. But you know, give yourself a baseline, establish, you know how difficult this intro is and then we'll help you build from there. And we also have the ability to theme them in ways like we can focus on IoT challenges, right our challenges that are specific to, to the interest in the IOC, or IoT in ICS, different, different areas. We had somebody doing some research on how to connect blockchain, in this space. We have people working on AI. We do have a couple of like aI related challenges already but just working on AI and security that intersect and. And that's where we, when I say we can see them, that's what I mean like we can drop just about AI.

Vamosi: The process of picoCTF is to use resources from the university.

Kearns:  The development is all done in house, at, at CMU. From the Software all the way through the content. And we've just made an effort to keep it. Technical logically accessible. Right, low technology you need an internet computer or Chromebook that works beautifully on a Chromebook. We've also gamified it. That's something that's a bit unique, there's typically a video game component with every competition. We'll be expanding on ways that we use the video game in the future, and the game was developed here at CMU at the Entertainment Technology Center. And it's graduate students, they do a semester long project, they build that game, brand new, every release every year. And as such, it is open source, and therefore free to individuals online to use in their own learning process so we don't release the content we release the software, we release the platform. So you would have to develop your own content if you use the open source, but the fact that people are doing that. It makes us really happy.


Vamosi:  One of the challenges with education is finding the right balance between what people already know and what they need to know. Consider just because you're a passenger in a car, doesn't mean you know how to drive. Sure, you observe that cars stop at red and go on green, or that there are signs posting various speed limits. So, picoCTF isn't just capturing the flag. There are other areas of the site to help you learn at your own pace, aside from it being available all the time, picoCTF is different and that includes a lot of great resources, even some smaller tests to CTF that you can play all by yourself.

Kearns: You can spend your time in what we call the PICO Jam, which is the non competitive space, practicing the challenges we have a PICO primer which is our online textbook and you can read about concepts, and then you can enter any one of our competitions.

Vamosi:  The Pico primer is a repository of all sorts of great knowledge. If I said person in the middle of attack, you probably understand, but with someone like Megan,

Kearns: Do you want to know the big secret behind picoCTF. I don't have a technical background at all. I have a degree in anthropology, so when I tell you I convinced David I could do this. It was not easy, so he was thinking, Well, I've known you now for years, and I don't know why you think you can do. So yeah, we do a lot of testing on me, right, like when they write this stuff like can I understand it. And if the answer is yes, then we're good for the general public right so some of this information is very valuable to people who have zero experience right they get they get a description on what a Caesar cipher is

Vamosi:  A Caesar cipher, if you don't already know, is a very basic cryptographic method first used by Julius Caesar, when communicating with his troops in the field, basically, each letter in the alphabet is replaced by another letter, further down the alphabet. For example, a shift of five would make every instance of the letter A. Become the letter E. You can create your own Caesar cipher by putting all 26 letters of the alphabet in one line, and then shift the second line by say five characters, as I said it's pretty basic, and there are special cases too, such as rot 13 which shifts everything 13 spaces down the alphabet, this kind of knowledge that you can gain by playing CTF, or by visiting the pico primer.

Kearns:  I think it's understanding the terminology that's a huge part of I can't tell you how many years I've spent googling terms here at CMU because it's talking about. So, I'm just saying the terminology is huge. And then if you're somebody that has a little bit of a background, digging deeper into concepts is a big help. Another secret is that the primer really, it's a beta but it's not even a beta it's barely a beta version of, we had an amazing student come to CMU and was like, I already know about Pico, here's what I want to do for you. I want to write this. And so our education lead and this student just got together regularly and started hammering out these chapters, and then I was the, I was the proofreader so any typos are my fault and I learned so much just reading it. So I am telling you from experience. If you just want to read that, you will learn, because I did.

Vamosi:  So you play pico CTF, or any CTF. What is the result. I mean, I run, and these runs are recorded online. So I have my personal best times in the marathons that I've done online. Is there anything like that available for CTF? Turns out there is a site CTF time that org.

Kearns:  We do go to CTF time. We love CTF time. And there's a gentleman behind CTF time that we talked to directly. I think at one point we kind of broke CTF time. But we are trying to be better and more accommodating. It's the thing that the community really encourages us to be compatible with the rules of CTF time sometimes because CTF isn't compatible with anybody else's rules because we like to do things, You know, differently. But yeah, yeah, thank you. Good to see to CTF time in the gym, though, like it's your personal progression, right you can see how far you're getting through the challenges, and it's, it's meant to encourage people,

Vamosi: There's also something else in terms of reward high school students who play pico CTF, and do really well may end up with some scholarship money.

Kearns:  So, this just happened in 2021 where there was a new scholarship developed for us high school students called the National Cyber Security Foundation, they launched their first CTF in April, and you could get an invitation to that CTF three ways, by going through CyberStart America, CyberPatriot, or picoCTF. And so you needed a point for picoCTF. You needed to reach 1000 points to get an invitation, but those points, essentially through pico CTF, gave you this opportunity to win this money. And we're hoping to expand that we were hoping that other other groups build up the same opportunity for students that that picoCTF can then get involved in. And I, right now, I mean, I'm not sure you would put your points on your college application. But you could write about what you do in a letter. I think we're getting to the point now where the visibility of picoCTF is enough. That scoring, you know where you placed on the scoreboard or or or the number of points you have in the gym might be a value to certain people. We have an achievement system that we haven't made public yet, but soon you'll get badges and stuff that are related to those things that you can share

Vamosi:  All of this begs a question. Since CMU sponsors CyLab which supports Megan, the CMU looked at pico CTF scores for incoming students. Will performance have any bearing on getting in.

Kearns:  I know, man. Do I try though. I will say though, I can see the shift internally at CMU because this last year from everyone from the university the Provost Office and all the deans, they were really tweeting stuff about picoCTF during the competition right so they're really promoting it now, and we've had people from CMU admissions from from CS department actually admissions, Come to our seat our picoCTF award ceremony for our winners to talk about like how to apply to CMU how to get into CMU how competitive it is. So I do see the shift. Yeah, I'd love to get to the point where your pico performance matters, because then I feel like man, the ecosystem has grown enough the education because it's an that that we're now important in the eyes of admissions, but we're not there yet.

Vamosi:  Even so, even anecdotally, has Megan ever heard of other colleges or universities that have used pico CTF scores.

Kearns:  Why don't know that they use pico scores but they use pico in the classroom, we know this right we get, we get tweets, there on Discord we get emails, the emails all come to the very small team that we are, and we answer them all the time so we know people are using it in their classrooms as supplemental material, but as far as admissions. I don't know I still think there's probably value in writing it in one of your essays. I think I called a letter but what I meant was an essay about what you can do, and you know you can perform these skills because here's what you've done in a program like picoCTF, I think there's probably value in that.

Vamosi:  There's another interaction with schools, and that is, educators, both at the high school and the collegiate levels are using the resources at pico CTF for their teaching. 

Kearns:  The beauty of picoCTF at, the website where the program lives, is that most educators because it is web based, it's really easy to get whitelisted, they can just point their students there as an access right as a resource to access, and they can say go and do so many challenges or go and do all of the binary or whatever they're there, they're teaching. They can incorporate in their lesson plans easily. It's free and it's easily accessible.

Vamosi:  PicoCTF has become really well known through its reputation, and without any dedicated marketing budget.

Kearns:  I would just like to ask a lot of people to spread the word right. I mean word of mouth has been our biggest champion. And the more people are using it, the more it's valuable not only, you know, to the university itself, but, but to other foundations and corporations. And we will, our ultimate goal here is to have every high school student in the country eventually go through the picoCTF. Right. And to come out of that with an understanding, a basic understanding of baseline knowledge of what security engineering is. This can be a very lucrative field. And it can be a life changer for a lot of people, you don't necessarily always need a degree to get a job in a field that is related to cybersecurity. Sometimes if you have the right skill set and can demonstrate that skill set, you're valuable to a company. I think the more people that are aware of picoCTF and what we have to offer. We're just trying to open up doors and provide opportunity. And ultimately, picoCTF. The sad truth is that we are self funded. We're not allied I'm in the university's budget, so we are constantly posing for funding, looking for sponsors so you know if there's any benevolent benefactors listening to the podcast, Maybe they'll think I'm just dying to spend my money I'm gonna spend it on, you know, we'd be eternally grateful. It all of the kids would be really grateful. You know pika should survive people pika should keep going long after I'm gone long after David probably retires, I think it's really just an exceptional program, and keeping it free and accessible is, you know, the Keystone, that's going to make a difference, help this program for us to maintain it's impactful. Okay, if there were a marketing budget. What would Megan want to say. Yeah, so my suggestion to people is always like go into pico, join picoCTF, go into the pico gym, choose those really low points, right to the challenges was really a point go to the general skills. First, you need though and I give you permission 13 year old you, I give you permission to use the internet to find your solutions, right, I give you permission to look around, I give you permission to do research because that's a big point and picoCTF I think sometimes people don't realize when they come into it. We aren't going to give you a wealth of materials, it's going to be there's a chapter that you can look at that's going to give you the answer to that challenge, right, if you really do need to apply critical and creative thinking. And some of that involves you actually learning other skills along the way just to find the flag, but it does, it does accumulate right you do use these and later tout the, the skill set and later challenges in the program so we, it was one of the reasons why the game is useful when we gamily it because it gives people a space to play a game, kind of take a break, mentally, because these challenges. I always say you feel all the fields, when you're playing the challenges and picoCTF because you go through a range of emotions, you know, you do get frustrated. But you do feel the excitement. There's a fantastic feeling when you, when you get the black, when you solve the challenge. You do have to work for it involves a lot of initiative on the individual's part. And that's not typically the way classes are taught in high school in middle school and even college. A lot of the information is presented to you. So with pico CTF, it really is about going out seeking answers, but you know I give you permission to do that you should feel free to do that.

Vamosi: I’d really like to thank Megan Kerns for talking about picoCTF. If you’re looking to get certified as a Certified Ethical Hacker, or even CISSP, check the picoCTF Primer, and while you’re there, sign up for the picoCTF Gym and practice your CTFs skills. Who knows, maybe you’ll learn something new.

Hey, let's keep this conversation going. DM me @robertvamosi on Twitter, or join our subreddit or Discord channel. You can find all the deets and invites at

The Hacker Mind podcast is brought to you every two weeks, commercial free, by ForAllSecure.

For The Hacker Mind I remained the more king of the hill vs jeopardy style, Robert Vamosi.

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem