This summer world’s best hackers meet online in “safe mode”!

DEF CON is the largest security and hacking international convention, having started almost 30 years ago, attracting security professionals, academics, amateurs and hacking enthusiasts from all over the world. This year, due to the current pandemic, instead of Las Vegas, DEF CON will take place… online for the first time!

During DEF CON, security specialists have the chance to participate in one of the most prestigious among all hacking competitions, known as “Capture the Flag” (CTF), where teams compete in order to solve a series of challenges, win and bring the “digital flag” back home.

EURECOM’s Professors in Digital Security, Dr. Davide Balzarotti and Dr. Yanick Fratantonio, both members of the organising team for “Capture the Flag” (CTF) competitions, give us a view behind the scenes of DEF CON’s 2020 challenges.

What are the hacking competitions organised during DEF CON?
DB: The convention hosts a large number of hacking competitions. We have been part of the organising team (a group of 10–15 people) of the DEF CON’s CTF for 3 years already. The team is chosen every 4 to 5 years depending on its ability to design challenges. There are two main styles of CTF games which were first introduced in DEF CON: “Jeopardy” (used for the online qualifications) and “Attack and Defence” (used for the finals).

YF: “Jeopardy” competitions include security, system exploitation and cryptography related challenges, where the contestants have to steal a secret file called “flag” to prove to the organisers that they hacked the system. “Attack/Defence” competitions include machines controlled by each team, where the goal is to either take over other teams systems taking advantage of their bugs or defend their own programs by fixing the existing bugs to avoid a take over.

What is your role in the organisation of CTF challenges?
DB: Every year we organise the online qualification round of the CTF competition around May, in order to rank the teams that will participate in the finals during DEF CON, which are usually around 16–25 teams. This year we had 1,400 teams participating, which is an increase in the participation rate. In general, these types of competitions are like a sport for hackers, where participants train hard in order to be able to participate and of course qualify. To that end, several teams have joined forces to construct national hacking teams, in order to increase their chances for qualification to the finals, since the competition is of extreme difficulty. There are around 100 different competitions per year of various sizes and popularity, but among those many existing CTF challenges, DEF CON’s is the largest and most prestigious to win. Some of the top EURECOM’s students participate in the CTF with various teams around the world, that succeed to qualify.

YF: Designing CTF challenges is an iterative process and it takes a lot of time to do it right, but it is really an enjoyable process and it is great that EURECOM supports us to participate. Several weeks are needed to organise fully a CTF challenge, finding the right compromise of difficulty and amusement for the participating teams. Note that challenges are often solved in several hours by the best teams! We design the challenges for the best security experts in the world and it is impressive to see them solve your problem by the most creative ways, faster solutions and some times inventing fantastic tricks that we had not anticipated. The key to succeed is to be fast, smart and creative but also have enough technical resources e.g. machine power, in order to beat competition. In some cases, teams get support from their companies/sponsors to the point that they would get benefits for participating in DEF CON’s CTF competitions.

What is different this year in DEF CON’s CTF due to the current pandemic?
DB: This year will be the first time to organise the finals of the CTF online, instead of having a physical event in Las Vegas. It is not yet clear how we will organise the competition’s final round online, but for sure it will be quite differently managed. What we can say is that it would be easier in terms of infrastructure, managing everything on the cloud and not having to rely on local providers for internet connection, which are often not enough to support the needs of the event. What would be a possible challenge is the need to redesign the way we do the challenges in order to succeed online. Hence, that would require extra time to the already time-consuming organisation. For the technical talks of the main event though, we expect that the conference will provide access in streaming for those interested to attend.

Also, DEF CON has a high social component and serves strongly as a networking event among security experts that meet and exchange on very broad technical security topics. The challenge for this year is to make the event as engaging as possible on the social aspect as well, nevertheless the personal contact will be surely missed.

by Dora Matzakou for EURECOM