On the Road: OSINT-CTF at DerbyCon IX
Even if you’re not an avid sports fan, there’s something electric about watching a live event. Sure, part of the pleasure is seeing your team play in person, but there’s also the camaraderie of cheering with other fans, the thrill of seeing yourself on the Jumbotron, and the delight of knowing you were there for that game-changing play. For DerbyCon IX, we wanted to bring the drama of a sporting event to the OSINT-CTF. Were we successful? Let’s just say that by the end of the conference, we were ready to do the wave.
So, just what changes did we make to the OSINT-CTF format to generate more audience excitement? We thought you’d never ask!
First, we focused on transforming the CTF into a live-action event. That meant limiting contestants to a small group that could compete against each other in the same room. Previous CTF challenges might have had as many as 50 competitors, and many of them would compete remotely. While having lots of players from around the globe has advantages, it’s not particularly fun to watch people play a game if you can’t actually see them. If you’ve ever tried to follow a sports event by just reading someone’s live tweets, you know what we mean. Thus, we vetted all the registrants and ultimately selected 14 savvy players to face-off in-person at DerbyCon IX.
Secondly, we wanted to add play-by-play commentary from entertaining and insightful industry experts. Enter 2018 DEF CON SECTF Black Badge winner Whitney Maxwell, Renaissance Hacker-Man Johnny Long, and Social-Engineering gurus Chris Hadnagy and Ryan MacDougall. Here’s how it worked: players would send screenshots of where they found the answers to the questions. For example, if the flag asked for Toby the Target’s wedding anniversary, players took a screenshot of the Facebook status where he tells his wife, “Happy 25th anniversary, Babycakes!” Then, once that flag was no longer available to the players, Whitney, Chris, Ryan, and Johnny analyzed the screenshot for the audience watching the CTF, explaining just what was going on inside the minds of the players. This quintessential quartet provided social engineering tips and tricks, offered helpful websites, and inspired an appreciative audience to think like a hacker.
Before we sign off, we have a number of people to thank for helping us pull together the DerbyCon IX OSINT-CTF.
First, hats off to Chris Hadnagy and everyone on the SEVillage team. Not only did they challenge us to create an OSINT-CTF charged with the same energy found in a spectator sport, they also provided the support needed to execute the competition with this new format.
Secondly, we have to give props to Evan Davison, the sound and video master, for the epic restraint he showed in not stabbing, throttling, or otherwise maiming us despite our blatant mistreatment of him. Do we acknowledge we may have thrown way too much his way? Yes. Do we swear to never do so again? Of cou…look, a squirrel!
Ryan Macdougall, who, in addition to his numerous contributions to the SE Village and the OSINT-CTF, provided homemade pickles not once, but TWICE after the first jar was devoured by an unnamed pickle-eating bandit. (Beware the Pickler!)
And finally, a huge thank you (AGAIN) to Chris Hadnagy and Ryan MacDougall, but also Whitney Maxwell and Johnny Long, our four deeply insightful and highly entertaining OSINT-CTF commentators. People literally took out notebooks to record Whitney’s tips, they were THAT good, and frankly, we could listen to Johnny Long all day, every day. Not only was his analysis insightful, but he also stayed 30 minutes longer than he had committed to, despite the fact that we’re sure he’s busy writing the next “great American Hacker guide” or saving the world through his non-profit, Hackers for Charity. Y’all were the key ingredients to this year’s OSINT-CTF.
We learned a lot from this experience, and we’re looking forward to applying these lessons at GrrCON this October. Once again, we hope to create a CTF that not only challenges the competitors, but also educates and engages the audience. For those of you who participated in the OSINT-CTF at DerbyCon IX, your voices have been heard: we’ll leave the attacking drones at home.
(Although we're going to put a pin in @AletheDenis' idea of pizza-delivering drones, brilliantly illustrated by @maru37 below. I mean...genius.)
Calling All Volunteers
One more thing: We’re always looking for volunteers to be Capture the Flag targets. Not only will you earn our eternal gratitude, you’ll have bragging rights for life! Tell one and all that you were a CTF Target. Bonus: Learn just how easy (or difficult) it is for talented hackers to find information about you online.