The Hacker Mind Podcast: Shall We Play A Game?

The Hacker Mind Podcast: Shall We Play A Game?

Robert Vamosi

·

January 27, 2021

Capture the Flag is a game, a community, and a really cool hacker culture. But will we one day stream CTFs like we do World of Warcraft or League of Legends?

Whether it’s designing or just playing CTFs, John Hammond knows a lot about the gamification of infosec. He even has his own YouTube channel where he shares what he’s learned from different challenges. In this episode of The Hacker Mind John shares his experiences building and executing his own CTFs.

Listen to EP 13: Shall We Play A Game?

Vamosi: When I was a kid, growing up in the Midwest, with noting but corn fields and blue sky everywhere, I frequently got bored. Really bored. So I would take things apart. Mechanical things. Electronic Things. Things I found in the basement of my parent’s house. My process was crude. Often I would just use a screwdriver and break a toaster, for example, down to its smallest components, and then try and map out its circuitry. Let’s see the power cord goes in here, so where that electricity go next, and how did it turn the toast brown. Oh, and what is this rheostat-thingie doing over here? Then, after al while, I’d try and soldier it all back together again. I wasn’t always successful. [shock sound]. But I did learn a lot about electricity in the process without calling ambulance or the fire department.

As I got older, I started to play around with computers. By then there were computer games, and at that time it wasn’t the single shooter games. No, what hooked me was Myst. This a benevolent, stunningly beautiful mystery.  It was a 3D puzzle writ large. You had this entire island, and you had to figure out what happened to the original inhabitants–they were all missing. The island was empty of people, yet you had all there were things left behind. There was a back story. Something did occur, but what? At first the clues weren’t all that obvious. Then literally everything was a clue, and to resolve these required different skills. There were codes to break, there were images to match, there were different challenges to get you from point A to point B. It was a labyrinth full of puzzles and challenges, and I don’t remember if there was an endpoint or not.

In this episode I’m going to discuss the relationship between hacking and game playing. More often then not they go together. 

Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I am going behind the scenes and discuss what goes into create and execute a CTFS. It’s more than you might think. In the moment you’ll meet someone who’s been gamifying infosec for years.

[Music]

Hammond:  I grew up, kind of like any kid like oh I want to make video games or oh I want to be a hacker, and they’ll go online and kind of Google and research that sort of thing.  

Vamosi: This is John Hammond, and from an early age, like me, began to demonstrate some of the basic skills necessary to become a hacker. 

Hammond:  So I kind of got a little bit more inquisitive and a lot more curious and wanting to learn and understand more about the technology in front of the computers, the programs that I would use on a day to day basis. And I would just wonder like how does that work. Why does it work the way that it does. Can I can I make it do anything that wasn’t supposed to do. And that curiosity and I think that that inquiring mind is the kind of person that’s really drawn to these Capture the Flag game so. Hey, how does my remote work. I’m gonna break it apart, just so I can understand it

Vamosi:  Today, John has taken his juvenile curiosity in breaking things down to become a security researcher with Huntress Labs.

Hammond:  As a security researcher, I am hierarchically in their Threat OPs department. So, it’s the cool high flying on the keyboard work between looking at malware or kind of reverse engineering and peeling apart, what we find on some of the hosts and partners computers that we have, that is super duper fun, because, hey we’re seeing neat, live off the land, techniques and tricks where we invoke PowerShell through Visual Basic script through j script through blah blah and it’s really fun to peel back the layers on that. Additionally, I am kind of pulled into the marketing department, a little bit to give presentations and write blog posts and kind of be out in the spotlight educating the community, and that’s fun, but not nowhere near as much fun as doing the real work, kind of on the keyboard.

Vamosi:  In the episode we’ll focus on John’s YouTube channel where he talks about his experiences playing Capture the Flag. But first, how does he describe CTFs?

Hammond:  I tend to explain Capture the Flag is sort of gamified cybersecurity education. It’s working through activities, and exercises and challenges really is kind of the real term, but small puzzles that will help you get in the weeds and really solve a technical problem with real application based hands on learning to test and learn your your cybersecurity skill, whether it’s memory forensics, or cryptography, or web application security or even like binary exploitation, or other tricks and steganography miscellaneous kind of red team operations and it covers a lot. And that’s kind of what I try to explain to people and if you have an interest in computers and you should play Capture the Flag, because you can learn so much just by tinkering just by playing and having fun.

Vamosi: Tinkering and having fun. So John and I have that in common. Probably you do too.  I mean, what curious kid hasn’t taken apart something electronic to try and figure it out on their own? Okay a few more definitions up front. Not all Capture the Flags competitions are the same. There are two types. For a lot of us, the version of CTF we’re likely to encounter most is Jeopardy style  You know, like the game show. I’ll take Potent Potables for $300, Alex, which is just a PC way of asking for a drink.

Hammond:  It’s funny. Yeah, I think there’s definitely a well established Jeopardy style like flavor and style of capture the flag. Jeopardy, I think, is the whole gamut. Truthfully, it’s a mixture of everything and it yeah you can pick and choose what category you might be interested in, or you might have a special specialty in right, say, hey, you’re really sharp on forensics, but another person or another individual on your team is super sharp and binary exploitation. So they want to tackle that category. Or you can kind of be a jack of all trades and learn as much as you can be really well rounded. but I think either style of gameplay fosters a lot of collaboration and teamwork. So, sure, if your buddy is super smart, in one aspect, you can learn from them, they can learn from you. It’s kind of a community, and a really cool culture.

Vamosi: So John likes to play CTFs and with Jeopardy-style games he later shares what he learns on YouTube. So, if I want to know more about the types of questions I’ll encounter in a particular CTF, I’ll just watch John’s videos. For example, from CSAW 2018, John talked about a crypto challenge category on the Jeopardy board called babycrypto. The question itself was ridiculous, it has a lot of “yeet”s in it, literally y-e-e-t, but all that basically boils down to just one line “A single yeet yeeted with a single yeet == 0”. Okay, what? John took this to mean that maybe we’re looking for a single byte XOR. Included with that question was an encrypted text file which John downloaded then wrote a simple python script to decrypt it. When he did that, the encrypted text resolved as a nonsense clear text phrase about “Leon is a programmer who aspires to create programs that help people do less.” At the very end of that text block was clearly the word “flag” followed by a Diffie Helman key, and this is what you submit to claim the points. That’s an example of Jeopardy style; a series of questions like this, and they get harder or easier based on the point value. There’s another flavor to CTFs, one that’s more glamorous..

Hammond: I think the other one that most people probably consider as the second flavor is probably attack and defend.

Vamosi:  Attack and Defend or King of the Hill, that’s the version of CTF you see at DEF CON. It’s exciting because it best mirrors the world of pen testing and hacking on a red or blue team.

Hammond: it’s kind of like a live game between a red team or a blue team, maybe in that sense of the two vs two, or multiple teams that have their own services they have to kind of maintain and make sure they are up and available, but those have flaws and gimmicks or bugs and another team that has the same vulnerability that they might need to maintain and, but you can also go on the offensive so not only defend attack and defense but also attack right go on the offensive and beat up the other players.

Vamosi: Okay, for CTFs we’re basically talking about two types. Got it. How do I know which type I’m signing up for? And, hey, where do I even go to find out about these competitions. There’s this website, CTFtime, and it lists literally all the CTFs. There’s practically one a week, if not more.

Hammond: it’s funny, I think there’s sort of a CTF season when kind of all the universities are kind of back in session Hey September the school year starting, and you’ll see, yeah hey, some school XYZ is putting on a game or hey there’s a conference going on and there’s another event. Hey there, we got another competition rolling up kind of from some industry company organizations putting something on, it’s incredible just about every weekend or close to it. There’s so many you can kind of get your hands on and play.

Vamosi: After playing these, John of course has a few favorites.

Hammond:I’ve tried to participate as much as I can. And one game that I am really really fond of. It’s the all army cyber stakes. So I originally had kind of participated in cyber stakes, way back in 2015. I found cyber stakes back in 2015 was at the service Academy at the Coast Guard for me, and the military cares a little bit more about like the security of stuff like sure it’s cool, you can make this. But, can anyone break this, it’s the good versus evil kind of a make not just break and make that sort of idea. And I think at that point, it kind of originated as kind of a competition between all the military academies the service academies between West Point and Annapolis and Coast Guard’s in their forces in there. Now I think that just brought Merchant Marine in, but it’s very very cool and very very fun,

Vamosi: Cyberstakes is a bit unusual in that it runs for 10 consecutive days, allowing the players to go to work and school and then catch up and play at night. The general goal with Cyberstakes is to first and foremost to introduce and educate people with basic infosec skills.

Hammond: Because what I’ve seen all army cyber states do, at least in some of the recent games is they’ll take a classic vulnerability they’ll take kind of a well known vulnerability that there’s a lot of kind of decent understanding of and people know what they can identify, but they’ll spin it on its head and add a little gimmick or little twist in there so you’ll kind of have to do some creative thinking where my SQL injection works, but it only works because it’s tracking whatever IP address on come from and oh I could somehow alter that or manipulate whatever header and field so that I could slowly squeeze in and then whatever I can run a command and call back from the server, etc etc. So rather than a cookie cutter or one equals one, just to kind of a one step at bare bone basics. Question or task of you, it becomes this more thorough complex. Critical Thinking exercise where you’ve got a couple other hoops or things to work through some other hoops to jump through. And I think that’s really really fun I like that extended complex problem to work through. But that’s one that I really love and appreciate all army cyber steaks is great,

Vamosi: If you want to learn more, I covered the Cyberstakes in Episode One of The Hacker Mind. And I talk about the need for military brass to better understand computer security if they are going to enact policies that involve computer security.  So, that’s the military. What if, like me, you’re not part of the military? What’s a good entry point for starting CTFs or information security for that matter?

Hammond: but for kind of the beginners kind of ones just getting started. newcomers that are interested in this field. I do give a lot of love to Pico CTF. I think that’s become well known it’s just what folks will point to and say hey if you’re interested in Capture the Flag. This one is really great at holding your hand and just kind of getting you in the thick of it. Even if it’s running simple Linux commands and just being in the command line to navigate around the file system, it’ll get you started. And that’s fantastic for to really just springboard someone into a great scene and culture.

Vamosi: Wait. it says on their website that PicoCTF, which is created by security experts at Carnegie Mellon University, is the largest cybersecurity hacking contest for middle and high school students. What if I’m older? 

Hammond: Yeah, it’s funny I see it advertised as like hey it’s for middle school and high school students. And then, someone might play who’s years ahead and like hey they’re in the 30s or 40s and say, This is too hard, this is, this is a kick to the ego. But, no, it is really for everyone. It’s for your learning it’s for your playing and don’t don’t feel like you have to take oh it’s aimed towards middle school, high schoolers as some strict rule.  It’s something meant to be approachable to everyone.

Vamosi: There’s another popular CTF. I talked to a member of the Plaid Parlament of Pawning, arguably one of the best CTF teams in history, and in Episode Two of the Hacker Mind, Zarata mentioned that before joining PPP she got her start with Cybersecurity Awareness Worldwide, better known as  CSAW.

Hammond: Oh yeah, yeah. seesaw that comes out of New York University, I think, is that right. They put together a great game, and even their finals get into other rounds of it they do get a little bit more complex and have a bit more weight to them. But some of their beginner stuff, and kind of just hate learning forensics or getting your feet on the getting your hands on the keyboard, right there, do an exceptional job.

Vamosi: So Cyberstakes, PicoCTF, and CSAW have each been around a while, almost 20 years in the case of CSAW, but there are a lot of new CTFs coming online. And with some of these you can make a fair amount of money if you win.

Hammond: Yeah. Yeah, absolutely. And you can kind of approach that from two different ways so some events some games some competitions and that capture the flag scene, we’ll have a monetary prize if you play as a player. Hey, I don’t know, Google’s finals or some of the DEF CON stuff, or whatever the case may be whatever group organization may say hey, we’ll pay you $1,337 we’ll give you some elite money or whatever they would like, or you could have some incredible prizes, not in monetary value some of the some of the Pawn to Own games right if you break into this car. If you hack into this airplane. You could have it. There’s the incentive isn’t whatever you hack into maybe you could keep, or we’ll give you a drone or some other Raspberry Pi some hacker toy. And those are always, I think, good wins there. The other aspect of that is, if you’re not acting as a player, and you are kind of organizing or hosting or offering these Capture the Flag games, I think, personally, there is an interesting kind of market, and like that that’s a niche thing. Maybe you could be contracting out to companies and saying hey we’ll put on a game for you, we’ll, we’ll develop the challenges. We’ll host the infrastructure we’ll support and moderate, and we’ll just deliver the whole service of some training for your personnel. Maybe you can take that route. You could approach that and still earn some money.
Vamosi: So with all these CTFs, is there any market value to, say, winning these competitions? Are you more likely to get hired over someone else?
Hammond: I think, I think there is honestly a lot of self notoriety attached to it. Sure, you get bragging rights and you get your nerd points, but on the same coin like hey you can put that on your resume if you’re really interested in that, like, you can claim and say like hey I found, whatever thing playing CTF that actually turned out to be a zero day. And that really happens to right like you whatever research or tinkering you might be doing you could uncover something that no one else has uncovered before. And sure, you could get some street cred and being an infosec influencer on Twitter if you’re interested in that, but I’ve heard some folks say four good friends that I know that have played and participated in one, some of the DEF CON CTF, and they say in their bio, or in their byline like hey, we’ve won the World Series of hacking. So even even folks that aren’t overly nerds like us that play Capture the Flag, that kind of thing like oh hey that that’s a cool dude he really knows what he’s talking about. He He’s been in this. So, I think that does bring some real value.

Vamosi: Then shouldn’t more companies be starting their own, if only to better educate their staff or to recruit and retain staff they already have?

Hammond: I have screamed and I shout from the rooftops I try and sing the praises of capture the flag because it’s such a great way to learn, and that there is motivation and seeing your name up on a leaderboard and no one you can solve just one more and you’ll pass that person ahead of you. So you’ll go and learn, and you’ll go and study and research and Google around and try and solve whatever task is in front of you. It cultivates some real feeling of lifelong learning and companies right your employers, they kind of like that, they kind of want that if you’ve got this motivation is passion and drive. Seeing their people seeing their own personnel participate in Capture the Flag. I think that goes and proves to them that hey, then that individual is really dedicated and kind of loves this stuff, they, they want to get more and more of it, and they’re happy to encourage that.

Vamosi: So how easy is it to create your own CTF? I mean you a get a website, you promote it. It’s just a bunch of questions, right?

Hammond: There’s a lot to kind of unpack okay in that conversation. First, I think, and this, the questions that you have to ask yourself, will probably help answer what you’ll end up doing next at the technical level or actually implementing it. But you have to know how many people do you expect to play this game because how strong infrastructure or what kind of powerhouse server Do we need to put this on. And how long is the game going to run for is this going to be an eight hour. Hey, just a single day sprint, or are we running this throughout the weekend or a whole week, even for some long form training. Those will help you figure out how many challenges do we need, how many activities and puzzles should really even be. And what do we need to spend to put this on Are we going to be using some cloud hosting infrastructure. Is this all going to be on premise where we’re hey we’ve got our own beefy servers. I think you kind of have to know, at minimum, how many people are going to play and how long are they going to be playing for those are the starting tidbits

Vamosi: So there’s a fair amount of infrastructure to consider.

Hammond: Yeah, then I think we get into kind of the conversation of infrastructure, right. And if you’re hosting a Jeopardy game. Well, you’re going to be presenting cybersecurity challenges to folks and individuals and people to play where it’s a game of finding insecurity, it’s a game of finding vulnerable stuff that’s meant to be broken and exploited you’re literally giving hackers, a playground. So in a weird way, you have to secure, what you’re going to present as insecure. Because if someone were to, I don’t know vandalize the service, or they remove the flag delete the flag for other players, but now they can’t solve it. Well that takes some of the fun away. And you have to make sure that the challenges are available. Same thing with attacking defense. If you are considering giving players a network, to be able to interact and fight on the battlefield with. Is that going to be public on the internet. Can anyone just jump in and play Do you need to have a VPN or something where they can actually join that there are a lot of things to kind of consider in that realm.

Vamosi: This is sounding  like a lot of work, particularly if it’s your first time. So how far in advance should you plan on scheduling?

Hammond: I’ve had schools and kind of universities and colleges kind of ask like hey john we’re planning this game. We don’t know exactly what we’re getting ourselves into so they’d asked the same sort of questions. And I think the infrastructure will take a significant amount of time.  I will probably give that a month or two months if you haven’t done it before. If you built out your solution like hey, I’ve got terraform, I’ve got vagrant whatever I’ve got Chef and Puppet and they can spin up some AWS instances or some Kubernetes cluster and then it’s done in like the snap of your fingers. Sure, if you’ve done it before and it’s pretty unpackaged, you don’t have to spend a whole lot of time on that. But if you’re doing it for the first time, it’s a little bit of an undertaking if you are still learning that process. So I’d give that maybe one or two or even three months. If that’s the first time. If you’re doing challenge development, if you’re creating the puzzles and the tasks and the activities that the players are going to do. Again, depending on how many you’re going to roll out. That will take a lot of time, if you’re working with a team of people like hey you and your buddies are putting this together or your school club or whatever the case may be, maybe five people. If you want to push out 30 challenges. Hey, you’re probably juggling life and other school activities and plenty of other commitments. Maybe that’ll take a month or two or three unless you’ve got a team of people kind of coordinating who can tackle what I would think it might take some months in planning to do. Does that kind of resonate the same way with you.

Vamosi: Are there established rules? You know, a Roberts Rules of Order for how the games should be played, or is it the wild wild west? Remember the example above? By the time you decode the message and read through the plain text, how did we know we found the flag? Right, it was clearly marked, with the key. That’s what you have to submit.

Hammond: I think so, in my opinion, and I’m sure you probably knows what it’s like the Many Maxim’s of Hosting Maximum CTFs or is that, I think that’s ForAllSecure or PPP or some correlation. But I think they put out here some ground rules like, Hey, you should have a standard flag format, like when someone solves a challenge. They should immediately know that they’ve solved the challenge there shouldn’t be any sort of uncertainty as the way okay I pop the shell. Now what hey we should probably put the flag in the current directory they land in or whatever the case may be. Having that flagged format helps them know, Hey, I know what I’m looking for. I know what my objective is I know what I’m targeting that’s one I think, important standard. The other is kind of on that same vein, kind of a trajectory off of that and there shouldn’t be any guessing, like we don’t want some logical leap of faith that no one other than the author, the person who designed this challenge, would be able to draw that conclusion, whatever we can do to put in breadcrumbs are some leading things so that person can help themselves learn, and maybe even know they’re going down the right path. We want to put that in place, because we don’t want it to just be a guessing game that takes a lot of fun out of it.

Vamosi: There are other difficulties such as registering the players, and then granting them access, then there’s scoring. Some of this has been templatized.

Hammond: Thankfully, some of the technicalities are handled by whatever platform you might be using. If you’re working with an open source kind of project or organization plan that like, hey, we’ll use CTF D, we’ll have that open source framework that we can put to use for the front end, and that will handle users and user registration login etc. And the scoreboard, it’ll just kind of create and generate for you then. Okay. When a person solves a challenge. If they’re tied with someone, at the very same point value will go based off time and say the first person that solved that is hierarchically in first place or second place, they’ll be higher up because they solved. First, thankfully, a lot of times your framework, if you’re using one that can handle it for you. CTF D is phenomenal. In my opinion, personally, that’s what I use. I know FB CTF or Facebook CTF kind of project is a thing Pico CTF Of course theirs is open source, and there’s a lot to unravel in that our CTF I think ra CTF I see there’s plenty. If you go online and Google around, you can find some pretty incredible front end, open source frameworks to use. And thankfully that’ll handle some of the technical difficulties. But you and your team also still want to be moderating and facilitating and just supporting the game. So hey, all of a sudden the website went down. Oh okay let’s go check to make sure whatever Redis Cache or whatever is still intact or. Oh, we’re not getting points for something like, oh is the database still functioning correctly or okay there’s something wrong where anything I submit is still corrected and accepted as the the actual answer. Well, we should go make sure the flag validation is set. So you do need a human, of course actually being able to moderate and support the game. I would definitely recommend having a team for that. Because if you have a large player base that can be like fighting fires, it can be very frantic and really chaotic.

Vamosi: So how does this advice play out for John. How did his CTF go?

Hammond: Originally, we hosted Versecon i think was the first in this saga. And that was 10 digital ocean servers on the front end and the load balancer there, and another 10 digital ocean servers on the back end, so the front end would run all the CTF D front end instances, and there’d be a read a server and a MySQL database off, kind of in their own land but not behind a load balancer. And then the backend servers would all run Docker containers, and that’s how we would kind of encapsulate and secure our insecure challenges. Those would work well. But, it meant that every player that connected to a dynamic service was sharing that service with the other players. So, it’s a shared container, and a shared instance so we have to lock it down and make it read only because if one bad apple vandalizes the challenge kind of as I was discussing they would remove the flag or they just rm rf or drop files everywhere. It ruins the fun. So that was kind of a limitation to that development infrastructure setup was because there was a shared container. Now, later on after Versecon and after nom con and then after activity called and, besides Boston and grim Khan etc. Now we’ve kind of moved into some more stable, infrastructure, in my opinion, we’re using the Google Cloud Platform, and we’re using Kubernetes, to scale out Docker clusters and containers for everything. So the CTF de fronton is a Docker container, the SQL Server is some of, I think, Google’s sequel, organization, cloud customers, stuff like that. And it’s all scalable, because it’s Kubernetes, and all the challenges can be kickstarted and kind of deployed per user. So now we’re no longer using shared containers. And every user gets their own instance, so they can RM tak RF, they can fork bomb, they can do whatever they want, they’re only hurting themselves so much much better, much more stable and gives us a lot more flexibility with what we design and create.
Vamosi: It sounds like you have to create like an intranet. Something that is isolated a sandbox, in which you host. the CTF, it’s not so much that there’s a danger leaking out into the broader internet it’s more that you don’t want players sabotaging players. So the insecure environment that’s threatening the East Coast, you know power grid or whatever, it’s more. It’s more that there are flags and if the flags are missing and you did this challenge and you get to the bottom and there’s nothing there you’re going to be really bummed out.

Hammond: Yeah. So, yeah, I do think that’s the value of capture the flag in some way. You made this point like hey it’s not a real thing, like, threatening or impeding, whatever power grid or system that’s in industry it’s, it’s a sport, and it’s for play. It’s a game and it’s a puzzle. There are things, some conversations that kind of poopoo on that they say whoa it’s not realistic, or but truthfully I combat that I’d argue against that like you’re distilling down the learning process to kind of bite size digestible chunks, and you can get to a much much more in depth complex realistic level, depending on what game you play or how you approach it. But for getting your feet wet. It’s a really great vessel to jump in.

Vamosi: Even as a pro, John has had his moments when ..well, everything seemed to go wrong.

Hammond: So, this will be a story in moderating and support, and facilitating a game, because recently we’ve tried to put together a better looking display, and kind of a cozier more friendly look towards the Capture the Flag games that we put on because we wanted to bring in these per user deployable instances for challenges. We wanted to make it something that anyone can just spin up and play with. So we basically wrote some custom wrappers and plugins for CTF D. Because CTF D on its own like works really well, it’s great it’s open source and extensible, but we wanted to do more with it and we didn’t want to look like a classic vanilla flat CTF D instance. So with our new plugin that was working with these deployable Kubernetes based challenges. We had to re implement a lot of the things that CTF D did that also meant re implementing, whether a flag was valid or invalid. So there’s some, there’s a solve function in Python. And there’s also a fail function in Python and there are some wrappers to execute those as you click the submit button. We had during a real game that we were hosting. Some accidental typos some accidental copy and paste that the fail function was calling the solve function. So no matter what you put in, even if the flag validation regex or the regular expression was right, everyone was getting points everywhere for every challenge were like, what is happening. That was a big boo boo, and a big mistake and we were really pulling our hair out trying to figure out what was going wrong, because it’s like the database is working just fine, all the instances are up the flags look fine, what is happening. And then we had to turn to our own code, we had to double check triple check until we finally saw it, like, Oh my goodness, it’s doing the entirely wrong thing all along at just that one line of code. So, I guess it goes to show. Yeah, we all want to develop secure and good stuff. But we all do fumble, and that’s where maybe some of our vulnerabilities come from is just accidents, and mistakes.

Vamosi: So how did that end up?  Clearly everyone couldn’t win. I would image, though, that even with the system awarding points, there was a database that confirmed the flags that were being turned in. It’d be a matter of reconciling those databases, right?

Hammond: I guess resolution of the story boils down to an excellent and incredible moderating staff and support, because we could check in on what players had submitted what. So if we could see, they posted this flag as the answer and it was very clearly not the flag, they just typed in, right, asdf Qwerty or whatever, we, we could remove their points, and it’s like they hadn’t actually solved that challenge. So, for some time we were kind of fighting the fire there and would end up taking away the solve for people that didn’t legitimately solve that challenge, after we had kind of fix the problem and plug that hole. So, it did get resolved, and for a little bit. It was just a running joke or some accident where Hey, the first hour of the game all points are free

Vamosi: Given this experience, what advice does he have?

Hammond: Yeah, I guess the biggest takeaways for me. When hosting a game is a never trust the player, because there will always be someone that kind of vandalizes or removes the flag or just kind of wants to break things always kind of prepare for more. So hey we’re expecting 1000 people to play, or at least we’ve got 2000– we think maybe 2000 people will play — you want to err on the side of caution and prepare more infrastructure or things necessary to be able to handle that load. And the same thing for time, especially if you’re working with another party, if you’re working with a school if you’re working with a company or business to put this thing together. There are a lot more logistics, that you have to keep in mind, like, Hey, what about prizes, who’s going to handle prizes are we doing prizes or what about support is there going to be a Discord server are we handling a slack server. I don’t want people to be emailing me questions for a capture the flag. There are a lot of other things to keep in mind. And I would have everyone kind of dot all the i’s and cross the T’s if they if they want to put that together.

Vamosi: So where is this going? 

Hammond: I have a lot of folks that asked me kind of from the other stuff that I do is like, do you think hey hacking and capture the flag will ever turn into this eSports thing where we’ve got a spectator sport, and just like gaming just like hey, someone might stream, World of Warcraft or League of Legends or whatever. Will people stream, playing Capture the Flag, and will that hacking become a sport, much like gaming has now. And truthfully, I think it will. I think that would be very cool and I’m excited and looking forward for that day. I don’t think we’re there yet. We might have to get a lot more people interested in the scene, but I definitely agree that it aligns really well with gaming, because it is something to play and tinker with. So, yes, you’ve got your hacker mindset, and you’ve got your gamer mindset where you want to compete and you want to explore and play. So definitely I think it strikes a chord with both.

Vamosi: I’d like to thank John Hammond. And encourage you to check out his YouTube channel for more insight into the CTFs we talked about here.
For the Hacker Mind, I remain your eternally puzzled and perplexed Robert Vamosi.

 

Stay Connected


Subscribe to Updates

By submitting this form, you agree to our
Terms of Use
and acknowledge our
Privacy Statement.

This site is protected by reCAPTCHA and the Google
Privacy Policy
and
Terms of Service
apply.

*** This is a Security Bloggers Network syndicated blog from Latest blog posts authored by Robert Vamosi. Read the original post at: https://forallsecure.com/blog/the-hacker-mind-podcast-how-to-get-started-hacking