Security Capture the Flag Competitions

Many people look at capture the flag competitions with varying reactions. Some look at them as ways for groups to show off. Others look at them with disdain wondering why someone would want to brag about the ability to break into computers. There are a very large number of who view the participants with a some measure of awe. They take the attitude of "I could never do that".

The most famous security capture the flag competition is held each year at the Defcon Security Conference. I have been attending Defcon for 11 years now, and that competition has always been one of the highlights of my experiences.

During the first couple years, I would wander into the competition area, and watch, hoping someone would tell me what was going on. The teams participating would see me first as a spy looking to gain information from them. They would shoo me away. Trying to watch their screens didn't go over much better. Once in a while I would be able to talk to one of the team "members" who wasn't really participating, but their knowledge of how the game actually worked was limited. The organizers didn't exactly see a benefit to providing information to the public either. It is my belief that more than a little of this attitude stemmed from them wanting to maintain an air of mystery around the competition. And with all the work I know they put in to make both the qualification round, and the main competitions a success I think they deserve a little swagger. Kudos to DDtek, the group who has been organizing the competition for the past couple years.

I got my first big break when a friend was invited to play with a team who was short-handed. He vouched for me, and for the first time I actually found out how the game worked. I got to help with reversing a service, and weaponizing a vulnerability into something that we could use to score points. We didn't win, but that gave me a taste of what it was all about.

The next year I was invited to try to compete as part of a team local to my area. We came close to qualifying a couple years in a row, but didn't quite make it. Each year we would tell ourselves that maybe it was for the best since we weren't terribly confident that we could put on a good showing. Besides CTF takes a lot of work, and we weren't sure we were committed to devoting that much potential party time. But every year members of our team were able to latch onto another team, and work with them. These teams didn't share all of their "special sauce" with us, but at least we got to see what was going on each year.

On the plus side we got to see a bit about the what would be needed from an organizational standpoint. We saw things that worked. We saw grand ideas that ended up flaming out. And most importantly we got to learn from each other.

That is probably my favorite part about these competitions. As a consultant I spend much of my time working on various pieces of security for clients. I sometimes have the chance to develop custom tools and techniques for a given situation. Unfortunately they are almost always tied to a specific client, and I can't share them without revealing information that isn't public. In the same way, many of my peers know some really cool things that they can't teach me because we don't have the right environment. Capture the flag is great because we get to work together without worrying about industry competition issues. We can share techniques, tools, and experiences that we can apply to the benefit of our future clients. We all come away with new skills, and a greater motivation to finish of that project that would have made all the difference for our team.

This year my local team was able to qualify. In future posts I will be covering more about the setup of the Defcon competition. I will talk about how qualifications work, and some of the stresses involved in it. I will also share what it's like being on the other side of the table, trying to work on something that is consuming all of my attention while spies are trying to weasel information out of me.

Hopefully someone may find it interesting and might even look into connecting with a team. You can never have too many people.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.