The fourth and final day of Southern California Linux Expo (SCaLE) is a slower-paced and less intense day. Some attendees from out-of-town need to leave earlier to return to work Monday morning, and much of the rest are tired out by the preceding days. The E-ALE people are all gone, presumably to Portland, OR for their next training session at Embedded Linux Conference.
My personal education goal for the day is to understand more about “Capture the Flag” events that have been going on. I understand the idea is to make a fun competition for people to practice computer security concepts in a game arena, but the concrete details are still fuzzy. I’ve known that security CTF isn’t one thing – it’s a category that covers different implementations. And since it takes place on a computer, algorithms have joined the party. The highest profile event I knew about was a DARPA “Cyber Grand Challenge” where, instead of teams of people competing directly against each other, the teams compete indirectly by building AI software to compete against software written by other teams.
But the focus for SCaLE are about people, and not AI algorithms. The conference held three rounds of CTF hosting beginners, intermediate, and advanced competitors. Sadly I had a time mixup of my own fault and missed the beginner round that would have been the best fit. (SCaLE weekend happened to also be the weekend when daylight savings time switched over and not all clocks automatically adjusted.) The beginner and intermediate rounds were hosted using Facebook’s CTF platform. I wished I could have seen it in action and maybe even got some hands-on participation time, but at least I now know about Facebook’s CTF platform and can look into it later on Github.
As an alternate activity, I attended a talk titled “Gamify Security Training with Developer CTFs.” The subject of this talk was yet another variant on the CTF concept. Instead of an abstract competition arena and all teams competing with the same code, this particular competition was designed to be immediately relevant to the developer team by using their own product code. In effect, they were holding a CTF competition where they were trying to compromise their own commercial products. This particular event took a lot more effort to set up than run than something like the Facebook platform, but it was far more engaging to the participants and they found real product bugs to fix. It’s a great concept that can be well worth the higher up-front setup cost.