Keynote:CTF: All the Cool Kids are doing it by Chris Eagle
-
Upload
code-blue -
Category
Technology
-
view
1.106 -
download
1
description
Transcript of Keynote:CTF: All the Cool Kids are doing it by Chris Eagle
Chris EagleCode Blue
18 February 2014
! Everything I say today is my own opinion and not necessarily the opinion of the US Naval Postgraduate School (NPS), US Department of Defense (DoD) or the United States Government
! Senior Lecturer ◦ Naval Postgraduate School, Monterey CA (1997-
present) ! Leader ◦ Sk3wl0fRoot Capture the Flag team, winners of
Defcon CTF (2004, 2008) ! Co-founder ◦ DDTEK, Organizers of Defcon CTF (2009-2012)
! First and foremost a game ! A chance to excel! ! Meet new people ! Lose some sleep
! Opportunity to (legally!) apply skills associated with all aspects of computer security ◦ System administration ◦ Network traffic analysis ◦ Digital forensics ◦ Vulnerability analysis and exploitation ◦ Cryptography ◦ Web and database security
Courtesy of Kenshoto
! Organizer's develop challenges to be solved by participants
! Two main formats ◦ Jeopardy style game board ◦ Full spectrum team vs. team in head to head
competition
! Typified by Defcon qualification round
! No head to head interaction between teams ! Solve puzzles to earn points ! Solution to puzzle usually reveals a secret
value known as a key or flag ◦ Hence “capture the flag”
! Wider variety of puzzles because each one does not need to be “live”
! Teams directly attack each other while organizers act as judges to award points
! Defcon CTF is longest running ! Others ◦ UC Santa Barbara iCTF ◦ Positive Hack Days CTF ◦ Codegate CTF
! Apply skills in hostile environment ! Exploit development ! Vulnerability mitigation ! All challenges are live “services” ◦ Must be kept running and defended while
simultaneously attacking other team’s services ◦ Successful exploitation results in access to a flag
! Generate interest in computer security ◦ Attract new people to the field
! Fresh challenges test anddevelop skills ◦ Interesting challenges motivate
tools development ! Builds a community of talent
and shared knowledge aboutsolutions
! Desire to learn ◦ Creative challenges spark interest
! Legal, low risk way toexercise offensive skills
! Bragging rights ◦ Winning Defcon carries some
prestige ! Prizes ☺ ◦ Codegate – 4.3M ¥ ◦ PHDays – 900K ¥ ◦ Defcon – Black badge
! Defcon ◦ Defcon 10, 2002 8 American teams ◦ Defcon 21, 2013 20 teams, ~66% international ! Hundreds of teams attempted to qualify
! UCSB iCTF ◦ 2003 – 14 teams ◦ 2012 – 90 teams
! Almost weeklyevents today
! Large body of past challenges ! Large body of publicly available solutions ◦ Generally self-study
! Each new CTF provides an assessment opportunity ◦ Only metric is final score ◦ No feedback to assist with improvement
! DON’T DO IT!! ◦ Trust me on this one
! If you must, then consider why ◦ It is totally thankless ◦ Give back to the community ◦ Talent identification ◦ Educational opportunity ! Coach people/teams up prior to event ! Provide feedback after event ! Teach people about challenges after CTF ends
! Japan, like many other countries, faces a shortage of skilled cyber professionals ◦ By one study as many as 80,000 people needed
! Identifying and attracting new talent as well as retaining existing talent is essential
! Competitions such as CTF both spark interest and offer an opportunity to evaluate ◦ Huge growth in participation in past 10 years
! Just get out and play!