A big draw at every DefCon is the team event, CAPTURE THE FLAG (CTF). This competition is for the world’s elite hackers, the best at both red and blue team attacks and defenses. The games are currently sponsored by the Nautilus Institute, a very interesting group of cybersecurity game experts. To learn about the long history of the CTF games and its prior sponsors, see this DefCon page.
This is the fourth in the DefCon Chronicles series: Where Tech Elites, Aliens and Dogs Collide – Series Opener, then Hackers Response to President Biden’s Unprecedented Request to Come to DefCon to Hack the World for Fun and Profit, and third, Sven Cattell’s AI Village, ‘Hack the Future’ Pentest and His Unique Vision of Deep Learning and Cybersecurity.
Hacker Olympics: Capture The Flag
The DefCon “Capture The Flag” competition is the Olympics of hacker team competition, but even bigger. It had one thousand, eight hundred and twenty eight – 1,828 – CTF teams. The Summer Olympics had 206 teams. The hacker CTF Olympians competed in elimination rounds throughout 2023. Only the Top Twelve Teams made it through to the final rounds in Vegas. In CTF games players face a variety of challenges, where teams basically try to break into each other’s computer in carefully specified ways. They breakthrough defenses, get inside the other’s computer and claim virtual flags to earn points. At the same time, they defend against the other team trying to do the same thing to them. Typically, each team both attacks and defends at the same time. It is just the kind of insanely complicated game with time limits, rules and judges, that only super-nerds would enjoy. This is an intense, serious competition that prepares you real world cybersecurity challenges.
Each game has a unique challenge, a different set of rules. The specifications became more arcane and difficult as teams advance, to the point that in the finals, even though these were the best players in the world, some teams had to turn to ChatGPT 4.0 for help. That was perfectly legal. There was even a DefCon 31 presentation on that by Gavin Klondike (GTKlondike), ChatGPT: Your Red Teaming Ally. The teams have no advance notice of the dictated challenge tactic, so they could not research it in advance. Still worse, in the finals in Vegas, they only had 50 minutes per contest. The first team to get in and scores points won. It was a nerve wracking race, especially in the last round, which was sudden death. These events, like the Olympics, are all very carefully set up and monitored by judges. Although, unlike the Olympics, there was no drug testing. But, like I said, the competitors take this very seriously. It is where reputations are made and lost. Coaches and team captains made sure the star players got enough sleep each night.
As in the Greek Olympics, only the elite competitors had a real chance to reach the final twelve teams in Vegas. There are favorite teams that come back each year, with slightly shifting team members, captains and star hackers. The same teams dominate every year, again, like the Olympics. But, in the Hacker Olympics, one team that has won seven times in the past eleven years! That is an unheard-of dominance. Can you guess the hacker team supreme? Hint- it is affiliated with a university.
Hacker fans follow the competitions closely throughout the year. They even release the specific challenges after a match, and you can test your own skills and times against the competitors. Fans have great enthusiasm for the winners who make it to the finals in DefCon Vegas. You hear cheers all around the Crazy Big Room when a favorite team wins. The games are shown on big-screen monitors and broadcast live, with referees, crowds of fans and announcers.
The live DefCon 31 games were set up so that you could follow each team’s action on split screens. You could literally see their computer screens real-time and watch everything they did. The move-by-move expert commentary was helpful too, and sometimes funny. But even with the hacker sportscasting, I could not follow most of what was going on. You really have to see it to understand. For that reason, I edited the five hour DefCon video of the finals down to an 8.5 minute version, shown below.
In the full video the announcers explain that in the final rounds in Vegas, each match is by a single team player. They had no team help. They were on their own. Plus, the last challenge seen on the tape was a sudden death game. The video is well worth watching.
At the start of the edited version below, after showing the scoreboard, it begins with a segment where one team uses Chat GPT in a particularly arcane challenge. The sportscasters loved it. That was one part I could follow.
Below is an official school photo of the winning team, that competed this year under the name, Maple Mallard Magistrates (MMM). Yes, this means the famous Plaid Parliament of Pwning (PPP) team wins again, for the seventh time in eleven years. Did you guess right?
The PPP team is, of course, the entry of Carnegie Mellon University (CMU) students’ (PPP team), joined this year by University of British Columbia Professor Robert Xiao‘s team (Maple Bacon team), as well as CMU alumni and pros from PPP founders Brian Pak and Andrew Weise’s startup Theori.io (The Duck team). Once again CMU put together the winning team. The three teams together were known as the Maple Mallard Magistrates team. A great pool of talent was attracted by CMU. Their final score was 9,801 points overall. The team they competed against in the last round was HypeBoy, who came in a distant fourth with 5,794 points. Coming in at second place was the Blue-Water team with 7,428 points. They had a slight lead over MMM in the pre-Vegas qualifying rounds. Coming in third with 3,756 points was TWN48, a 54 member team with 35 students from Taiwan universities, and 19 professionals from Taiwanese companies. Even though the competitors assembled great teams and had some initial success against the mighty Canadian ducks, in the end, Carnegie’s Maple Mallard Magistrates dominated the field.
Jay Bosamiya, aka f0xtr0t, was the PPP team captain. He is shown with a beard in the CMU team photo, on the lower far right, sitting above the man lying man down (and shown on Ralph’s MMM digital image far left). The CMU news release quotes Jay as saying:
“It feels great to win once again, and the team is incredibly pleased that we built and maintained a lead throughout the entire contest,” said Jay Bosamiya, PPP’s team captain for DEF CON CTF, a Ph.D. student in Carnegie Mellon’s Computer Science Department, and member of CMU’s CyLab Security and Privacy Institute. “Our victory as MMM shows how well our three teams work together.”Jay Bosamiya and CMU News Release
In subsequent interviews with the MMM team through a spokesperson, Tyler Nighswander, I learned much more about the competition and the team. Here is our conversation (all graphics, emphasis and some of the hyperlinks were added).
There were multiple components to the CTF. Most of it was teams vs teams. They broke it down into “Attack & Defense“, “King of the Hill“, and the “LiveCTF“. The Attack & Defense portion is where every team runs custom services (such as a custom BASIC interpreter, or a custom WiFi driver) which have bugs. Each team tries to reverse engineer the software (most are compiled and the source code is not given) to figure out what it does, find the bugs, and patch their local services, while simultaneously developing exploits for the bugs to use to attack the other teams.
The King of the Hill portion consists of challenges where teams try to “optimize” something, such as exploiting a piece of software with the fewest number of operations possible. Whoever has the best score every round will get the most points.
Finally there was the Live CTF portion. As you saw this was 1 v 1, with challenges that are designed to be solved faster (the other categories can take teams of several people many hours to exploit). The LiveCTF made up the smallest portion of the total score, but was definitely the most exciting and fun to watch 🙂
In the LiveCTF head-to-head competition in Defcon CTF, in our final round against HypeBoy, our player was Jinmo (a man who never appeared on screen, as far as I know). For all of the LiveCTF challenges the players worked alone with no help.
Ralph Question: Can you share a little more about Jinmo? Was he always your selection for final match? Can you share why he was the pick? Team Capt make the pick? Do you have a coach or coaches? Their role and names?
Our team consisted of three teams playing together that have all “descended” from the Plaid Parliament of Pwning (PPP). The other teams are The Duck, which is the CTF team of the company Theori, which was founded by Brian Pak (the original founder of PPP) and Andrew Wesie (one of the original members of PPP); and Maple Bacon, which is the CTF team of the University of British Columbia, founded by Robert Xiao (a long time PPP member who is now an assistant professor at UBC. (Editor’s comment: see his impressive publications list.)
We don’t exactly have official coaches, but each of the teams has a couple people in charge of them who help to keep things running smoothly. Brian Pak was our main team captain, and then each of the subteams have their own captains: Juno Im from The Duck; Kevin Liu from Maple Bacon; and Ethan (Minwoo) Oh from PPP.
Jinmo is a member of The Duck. Jinmo (or Jinmo123) is his handle, but not his actual name. His real name is Yonghwi Jin. Aside from needing to be very smart (like all of our members!), he was chosen because he is the fastest at exploitation on our team. On our team he has the nickname “lightning hands“.
We cycled three different people in to compete in several matches of the Live CTF, but Jinmo participated in most of them for our team. There are very few people as fast and skilled as him, not just among our team but among hackers across the world. Due to the elimination bracket of the Live CTF we couldn’t just save him for last, we just needed to make sure he got enough sleep for him to be awake and fast.
Ralph Question: 7 out of past 11 years is remarkable. Any words for my readers on that accomplishment?
Every year we play it gets more and more difficult to stay competitive. There are so many excellent teams that play, and we are always thrilled when we are able to win. It can be hard to stay motivated after playing in these competitions for over a decade, but we are all very passionate about hacking and computer security. Everyone on our team works incredibly hard to stay on top.
Ralph Question: ls anything you would like to tell my readers?
Participating in security CTF competitions is a great way to learn security skills. Many people on our team started learning about computer security through these types of competitions and now work in the industry. It can seem difficult to break into the field, but there are tons of CTFs for all skill levels.
For policy type folks in particular: Supporting these competitions and teams that participate is an excellent way to boost cybersecurity. We have seen trickle-down effects from efforts that PPP and Carnegie Mellon University has done such as picoCTF. We frequently meet brilliant security researchers (PhD students, industry professionals, and players on both our team and our competitors!) for whom picoCTF was a formative experience. Other countries such as China and South Korea have been putting more and more resources into CTF based education to generate new generations of cyber security experts (for example, most of the members of The Duck are alumni of the amazing Korean BoB program). In many ways the USA is lagging behind these efforts, and really needs to step up if it wants to ensure cyber security talent.
Conclusion: Encourage the Kids
As I have said many times before, we need to invest in security of all of our cyber systems. Computer science and cybersecurity training needs to begin at a young age, at least by high school, if not way before. I know of kids in the U.S who have started training as early as second grade. Experts teach by using online group games. Some have a natural aptitude and love it.
Early training is common in many countries, including Korea and Taiwan. No doubt early cyber-spy training goes on in North Korea and Mainland China too, where I suspect, small children are tested, and gifted kids forcibly taken from their families for specialized training. Same suspicion for Russia and a few other countries. As an educator, I am confident that, in the long run, our fun and love approach will prevail over harsh fear and discipline masters.
Some advanced cyber training programs are already available in the U.S., for some lucky students, starting at the grade school level. Children are not taken from any families, of course, and the program I am familiar with is not part of our military in any way. Still, there may be some similar training for military brats too. I hope so. Plus, most Hackers and anti-establishment types have children too. Their parents can be great teachers.
The reference by Carnegie’s MMM team to picoCTF underscores the point that public resources are available to all students who want to learn. Playing games is a great way for any age to learn, but especially kids. The picoCTF program was established by Carnegie Mellon University to teach cybersecurity computer skills in high schools. Some students come in with no training, some already have lightening hands and incredible skill levels. Started in 2013, picoCTF now sponsors CTF competitions and training year round. Here are their introductory words.
Participants learn to overcome sets of challenges from six domains of cybersecurity including general skills, cryptography, web exploitation, forensics, binary exploitation and reversing. The challenges are all set up with the intent of being hacked, making it an excellent, legal way to get hands-on experience.picoCTF
Also check out the picoCTF YouTube channel with instructional materials and career talks on cybersecurity. These are Carnegie Mellon productions using top professionals and educators in the computer, security and privacy fields.
In one video I watched they also recommended the program by Google, Google Cybersecurity Professional Certificate. This is no charge for this program and certificate. It looks challenging. Eight courses have to be completed to earn the Google certificate:
- Foundations of Cybersecurity, 14 hours;
- Play It Safe: Manage Security Risks, 11 hours;
- Connect and Protect: Networks and Network Security, 14 hours;
- Tools of the Trade: Linux and SQL, 27 hours;
- Assets, Threats, and Vulnerabilities, 25 hours;
- Sound the Alarm: Detection and Response, 24 hours;
- Automate Cybersecurity Tasks with Python, 29 hours;
- Put It to Work: Prepare for Cybersecurity Jobs, 18 hours.
I suspect the hour estimates are high. For one thing, they do not factor in help from GPT tutors and are probably based on average, beginner adults. I doubt my genius third grader could do this course yet. But, in a few more years, when this will all be obsolete, and replacement courses also improved, they should be well within the gifted pre-teen and early-teen skill level.
Support the next generations. Help motivate all of them to catch up with the lucky gifted few. Let your local high schools know of the free picoCTF training. Attend local CTF and related hacker game events. Learn the rules and come out and cheer for your local teams, just like you would a football game. Play along at home.
The price of liberty is eternal vigilance. Gifted hacker nerds, probably more so than gifted football stars, have a key role to play in the protection of our liberties. Their playful vigilance may hack the future enough so that we can all survive. Never give up and just cynically complain we are doomed. Take action and teach your kids well. Lead by example and doing. That is the Hacker Way.
Ralph Losey Copyright 2023 – All Rights Reserved – Does not include the CMU or team member photos.