Why Should I Play Capture the Flag?

People learn about computer security in a number of ways, all important. For the sake of argument, let's put these in three categories: reading, building, and doing.

READING. There is absolutely a time for reading conference papers, books, and even journal articles. In this way, one acquires valuable theoretical apparatus and learns what has been tried before, both with success and not. If giants exist upon whose shoulders we can stand to get a better view, why not do so?

BUILDING. There is also a time for constructing defensive systems and offensive tools, as well as evaluating them and then, in turn, writing books and papers to describe one's own work. Until one applies abstract knowledge to fabricate new systems and software artifacts, one's grasp of computer security remains hazy and unformed. The devil in computer security is absolutely in the implementation and user interface details.

DOING. Finally, we believe, there is a time for practicing defending and attacking real computer systems in real time. Ask someone who has lived through an attack upon his or her organization's computers if any important lessons were learned about computer security. Ask us, if you like. CTF attempts to model that defend/attack experience. Time pressures bring into sharp focus theoretical lessons. Competitive forces exposes assumptions and flaws in tools and systems constructed in a vacuum.

A Cyber Capture the Flag exercise typically resides in the last of these three categories: DOING. But it can span all three, and it is our aim to push in that direction. By distributing competition VMs over a month prior to the competition, teams have time to prepare defenses and plan offenses by building new tools and systems. They should even have time to do a little reading on what has been done before, and would be well served to do so. We think CTF has the potential to be a great teaching and learning tool and look forward to exploring that possibility. Also, it is a blast.