Emotional Support for "48 hours of failure"
Download as PPTX, PDF0 likes252 views
The document discusses the author's research on Capture the Flag (CTF) competitions in cybersecurity, highlighting challenges players face and the community's narratives around participation. CTFs are critiqued for being poor learning environments despite helping with skill refinement and cultural capital. The talk aims to provide insights into CTFs, encouraging persistence amidst frustration and failure.
![“FUNDAMENTALLY, YOU'RE WASTING YOUR TIME
WHEN YOU COULD BE READING PAPERS [LAUGHS
HARD]. AND THAT'S A THAT'S A FINE WAY OF
APPROACHING IT TOO.
-Tony (plays in 2-3 CTFs a month)
20XX PRESENTATION TITLE 9](https://image.slidesharecdn.com/uoft-ctfclubtalk-230114213927-015f4835/85/Emotional-Support-for-48-hours-of-failure-9-320.jpg)
![WHY ARE CTFS ARE A POOR
LEARNING ENVIRONMENT
2023 CTF101 10
• CTFs are fundamentally competitions
• Winning is inherently rivalrous
• No hints
• Time-limited
• The expectation is that most players will come with the
knowledge they need to win
• “[CTF] organizers seldom offer to prepare competitors
for the event… it’s incumbent upon them [players] to
acquire the skills necessary to compete well” (p. 69) –
Chris Eagle
• A survey of 15 “vulnerability discovery” exercises (CTFs)
found that almost none satisfied basic pedagogical
goals (Votipka, Zhang & Mazurek, 2021)
• Challenges are heuristic
• They require us to know, or figure out something for
ourselves](https://image.slidesharecdn.com/uoft-ctfclubtalk-230114213927-015f4835/85/Emotional-Support-for-48-hours-of-failure-10-320.jpg)
![CTFS AS NAVIGATION & PRACTICE
2023 CTF101 14
• CTFs are a check on your knowledge of contemporaneous
problems
• Essentially your ability to navigate all of the knowledge that is
freely produced and circulated through hacker communities
• CTFs are a bad place to acquire new knowledge
• But they are great for refining existing skills:
• “It's just learning, getting better, getting better at all those
exploitation [and] reversing tasks.” – Holden
• It’s a “style of thinking” where” the tools and skills you use to
solve the problem tend to be the same ones you would use to
solve a real-world problem.” - Jonah](https://image.slidesharecdn.com/uoft-ctfclubtalk-230114213927-015f4835/85/Emotional-Support-for-48-hours-of-failure-14-320.jpg)
Emotional Support for "48 hours of failure"
- 1. EMOTIONAL SUPPORT FOR “48 HOURS OF FAILURE” (Dr?) Alex Dean Cybulski Research Security Specialist University of Toronto
- 2. ABOUT ME Security research specialist University of Toronto’s Information Security Division Design strategy & policy for securing high performance computing clusters Also: Sociologist studying: information security, hacker culture and games Former prof @ the University of Toronto Mississauga: Hacker Culture CTF Team: the 212s Documentarian: Cyberwar on Viceland (2016) alexander.cybulski@utoronto.ca @adcybulski on infosec.exchange the and the evil bird platform 20XX PRESENTATION TITLE 2
- 3. MY RESEARCH 3 In-Person CTF Competitions U.S. & Canada 200 hours of observation 100 hours of interviews w/ CTF Designers & Players 230-page research report Sim Cyberpunk: Serious Play, Hackers and Capture the Flag 20XX PRESENTATION TITLE 3
- 4. WHY DO PEOPLE PLAY IN CTFS? 20XX PRESENTATION TITLE 4
- 5. 20XX PRESENTATION TITLE 5 I DIDN’T LEARN ANYTHING NEW I DON’T THINK CTFS ARE FUN I SPENT 8 HOURS SETTING UP A #@$ LINUX ENVIRONMENT ON MY LAPTOP AND DIDN’T MEET ANYONE HIRING I PLACED LAST IN THE DEFCON CTF QUALIFIER
- 7. 20XX PRESENTATION TITLE 7 • I love CTF • But it’s easy to quit when your first competition goes poorly. • CTF is so frustrating one of my interview subjects, Pawel, referred to playing in one as “48 hours of failure.” • My goal with this talk is: 1. To teach you the stories that the cybersecurity / hacking community tells itself about CTF 2. To help you push through failure & frustration & keep playing CTF
- 8. 20XX PRESENTATION TITLE 8 • Learning, having fun and networking are stories we tell ourselves about games. In sociology we often say that play is “rationalized” we do it for a reason – we have stories for why, how and to what end we do certain things. • CTF is “serious play” which means that we have often rationalized doing something (hacking, coding, cybersecurity) that is laborious (like work), but for a specific reason (leisure, socializing, professionalization) • When those stories we tell ourselves about doing something don’t line up with our experiences doing that thing AND when play is so much like doing work, we usually stop • Why bother?
- 9. “FUNDAMENTALLY, YOU'RE WASTING YOUR TIME WHEN YOU COULD BE READING PAPERS [LAUGHS HARD]. AND THAT'S A THAT'S A FINE WAY OF APPROACHING IT TOO. -Tony (plays in 2-3 CTFs a month) 20XX PRESENTATION TITLE 9
- 10. WHY ARE CTFS ARE A POOR LEARNING ENVIRONMENT 2023 CTF101 10 • CTFs are fundamentally competitions • Winning is inherently rivalrous • No hints • Time-limited • The expectation is that most players will come with the knowledge they need to win • “[CTF] organizers seldom offer to prepare competitors for the event… it’s incumbent upon them [players] to acquire the skills necessary to compete well” (p. 69) – Chris Eagle • A survey of 15 “vulnerability discovery” exercises (CTFs) found that almost none satisfied basic pedagogical goals (Votipka, Zhang & Mazurek, 2021) • Challenges are heuristic • They require us to know, or figure out something for ourselves
- 11. CTF HISTORY 2023 CTF101 11 • The term CTF was coined in 1996 at the hacker conference Defcon • But Hackers have always been making games out of breaking security controls • CTF emerges out of a culture known as the computer underground – pirates, hackers & phreakers (phone hackers) • The original CTF was more like a skateboarding contest than a game (no points, no rules, no scoreboard) • Started out as a sideshow for a LAN party • CTF was created to let hackers show off their skills 1. To impress their peers 2. And not get arrested in the process • CTF was created a time when there weren’t a lot of jobs (1990s) in information security • So CTF isn’t necessary about work and/or learning • It’s about impressing people
- 12. CTF CHALLENGES ARE DISCURSIVE 20XX PRESENTATION TITLE 12 • CTF challenges are created by subject matter experts • These experts think that the problem at the heart of the challenge: the method/methodology for vulnerability identification is interesting or meaningful • For the most part CTFs use ‘constructed’ vulnerabilities that do not exist in the real-world • If the problems were identical to real-world ones there would be a lot of tools to automate their exploitation (Metasploit, for example) • So solving a CTF challenge involves analyzing problems using real- world methods, methodologies and software
- 13. CTF CHALLENGES AS COMMUNICATION 2023 CTF101 13 • “CTF is really good to get you to learn about problems that need solving” – Tim • CTF challenges are about applying & demonstrating problem solving skills & techniques • Demonstrating the intellectual capital of players • To the things that other people think are meaningful (social capital) • In playing, winners demonstrate expertise, they demonstrate cultural capital – their ability to navigate knowledge • So playing in a CTF is about translating knowledge through meaningful problems to create recognition
- 14. CTFS AS NAVIGATION & PRACTICE 2023 CTF101 14 • CTFs are a check on your knowledge of contemporaneous problems • Essentially your ability to navigate all of the knowledge that is freely produced and circulated through hacker communities • CTFs are a bad place to acquire new knowledge • But they are great for refining existing skills: • “It's just learning, getting better, getting better at all those exploitation [and] reversing tasks.” – Holden • It’s a “style of thinking” where” the tools and skills you use to solve the problem tend to be the same ones you would use to solve a real-world problem.” - Jonah
- 15. TAKEAWAYS CTF is a game about cybersecurity, sure, but really it’s a form of communication, which translates local knowledge (intellectual capital) into recognition (cultural capital) and expertise (social capital) CTFs aren’t great for traditional learning (developing new skills) But they are good at refining skills (practice), understanding contemporaneous skills and building a culture of cybersecurity for learners. • This doesn’t mean if you want to learn you should quit and go home! • Just don’t be discouraged if/when you struggle! That’s normal. 20XX PRESENTATION TITLE 15
- 16. THANKS & HAPPY HUNTING Alex Dean Cybulski alexander.cybulski@utoronto.ca @adcybulski www.adcybulski.com 2023 CTF 16
- 17. WHO THIS TALK IS FOR 20XX CTF 101 17 • This talk assumes you know nothing, or a bit about CTF • But want to know more • You want to develop cybersecurity / hacking skills • I provide some critiques of CTF • But I do that to help you understand what you’ll get out of participating • My arguments are made based on observation & other people’s experiences • Blended with a little teaching theory • But it’s worth saying: your experience may vary! • The talk is largely non-technical • But CTF is mostly non-technical • Sociologists define things, they help us create meaning and understand patterns • Terms from economics, psychology and even gaming are the product of ideas sociologists created