I've reached a level of being almost quasi-serious about participating in CTF, but my dreams just got crushed. I tried to find if Kenshoto has CTF-specific forums and I couldn't find them, maybe because I suck at the Google-fu, but anyway, I'm venting here.
The way I see it, CTF is fundamentally a game, and pretty much all games have two components: offense and defense. I was extremely interested in playing defense in CTF as I generally consider myself an expert in all things related to building secure network applications, which includes quite a panopoly of skills including protocol/language recognition (using state machine parsers/pushdown automata), concurrency, I/O multiplexing, BSD/POSIX sockets, etc. etc.
Well, enough blowharding. After talking with the guy most proficient in defense on our local CTF team, I discover that defense is essentially worthless in CTF. You lose nothing for getting hacked to shit. So why even bother? I've put together what I think is an awesome defensive strategy, and thanks to absurdly high level languages I can generally code circles around C programmers, but that's all useless, since putting together the greatest defense possible means nothing if getting hacked doesn't count against you.
It seems that improving your defense merely makes you a less attractive target, and the other teams' offense will just choose someone easier. It doesn't actually help in any way. That somewhat translates to a real-world scenario I guess, but is CTF really supposed to be a real-world scenario, or a game? If it's the latter, shouldn't having a better defense improve your score somehow?
That said, a strong defense could be leveraged offensively, since building a defense involves a lot of declarative knowledge about the services and protocols being used, and with functional languages it's easy to turn that declarative knowledge into something that may be useful for the attackers... but I can hardly see that as my primary role, more a secondary thing I could do in addition to defending.
Anyway, that said I've pretty much lost all motivation to participate in CTF. I just really wish there were a defensive component as well...
The way I see it, CTF is fundamentally a game, and pretty much all games have two components: offense and defense. I was extremely interested in playing defense in CTF as I generally consider myself an expert in all things related to building secure network applications, which includes quite a panopoly of skills including protocol/language recognition (using state machine parsers/pushdown automata), concurrency, I/O multiplexing, BSD/POSIX sockets, etc. etc.
Well, enough blowharding. After talking with the guy most proficient in defense on our local CTF team, I discover that defense is essentially worthless in CTF. You lose nothing for getting hacked to shit. So why even bother? I've put together what I think is an awesome defensive strategy, and thanks to absurdly high level languages I can generally code circles around C programmers, but that's all useless, since putting together the greatest defense possible means nothing if getting hacked doesn't count against you.
It seems that improving your defense merely makes you a less attractive target, and the other teams' offense will just choose someone easier. It doesn't actually help in any way. That somewhat translates to a real-world scenario I guess, but is CTF really supposed to be a real-world scenario, or a game? If it's the latter, shouldn't having a better defense improve your score somehow?
That said, a strong defense could be leveraged offensively, since building a defense involves a lot of declarative knowledge about the services and protocols being used, and with functional languages it's easy to turn that declarative knowledge into something that may be useful for the attackers... but I can hardly see that as my primary role, more a secondary thing I could do in addition to defending.
Anyway, that said I've pretty much lost all motivation to participate in CTF. I just really wish there were a defensive component as well...
Comment