When it's time for Team saarsec to "Capture The Flag" (CTF), computers, heads, and the phone line of the pizza delivery service start smoking. Once the starting signal has been given for such an IT security competition, the saarsec boys - female members are expressly welcome, but currently underrepresented - spend the next few hours in front of the screens. During this time, they track down vulnerabilities in an opposing team's computer system created especially for the competition and try to protect their own system from attacks. At least, these are the rules of the game for the attack-defense variant of the turn-based competition. The flags that have to be captured in CTFs are not made of cloth, but consist of letters and numbers. Points are awarded for each string of characters found. Likewise for services that the team was able to successfully defend against attacks from the opponent during the round. CISPA faculty member Dr. Ben Stock has been a saarsec member since 2015, is active on the 5-member board of directors, and says of himself that he is "something like the 'president by seniority' of the team." In his cybersecurity lecture at Saarland University, he regularly promotes the hacking challenges and especially the annual workshop, which is coming up again on April 9 and 10.
What are capture-the-flag competitions all about?
Ben: CTFs provide an opportunity in a controlled space to put learned IT security skills to practical use. There is hardly any opportunity to do this outside of CTFs, because hacking is a punishable offense in Germany as well as in many other countries. This is to prevent computer systems from being attacked just "for fun". At the same time, however, it is extremely important to apply what has been learned in practice. After all, defending a system can only be effective if you also know attacks against it. In the CTF competitions, the participants have to act as attackers and defenders, which gives them a whole new approach to many topics.
Sebastian: Yes, that's true. The competitions helped me a lot during my studies. Many of my subjects included mathematics and cryptography, all of which were very theoretical. I really struggled with that sometimes. Then in the second or third semester of my cybersecurity studies, I participated in the saarsec workshop and joined the team. Finally being able to apply what I had learned before helped me a lot.
Julian: I'm already noticing that, too. I'm in my third semester now and mainly deal with theoretical concepts in my studies. I don't feel like I can do anything with real systems. In the CTFs, however, you quickly learn that although many computer systems look very different, they are basically very similar in structure.
But now you, Ben and Sebastian, are no longer students. What is the appeal of CTFs for you?
Ben: My day-to-day work now consists mainly of supervising young researchers. Applying my skills in practice doesn't happen there either. The CTFs are a hobby for me and I simply enjoy them very much. Besides, although I've been playing CTFs since 2006, I can say after each competition that I've learned something new. My daily business otherwise rarely allows me to deal so intensively with topics outside my research area.
Sebastian: I've also been playing since 2015 and I have to say: even after years, I still learn something new at the competitions. If the challenges require it, as a web security person I also read up on cryptography or some wacky programming languages. The knowledge we gather in this way is also passed on to each other. We meet with saarsec once a week and then everyone presents the service they worked on at the last CTF. If something similar comes up again in a CTF, you might remember it, or at least know who had worked on it. However, people should only be approached if they are not about to solve a task themselves. Right, Ben?
Ben: A CTF is a competition where things can get stressful. An interruption at the wrong moment may lead to a somewhat more explicit answer. How the challenges are designed varies greatly. Sometimes it's about more classic vulnerabilities, which also occur frequently in reality. Sometimes, however, you suddenly have to deal with programs whose source code you can no longer see and then have to work with the binary code. There are hardly any limits to the creativity of the teams that create a CTF. Sometimes, even underneath simple-looking web services, there are some ancient, unknown programming languages, because someone stumbled across them during some research and shared their knowledge. As a team, we organize a CTF for other teams once a year. Often the ideas for vulnerabilities that we include in the services come from our research.
How big are the teams and who can participate?
Sebastian: The size of the teams varies, occasionally group sizes are limited, but often the competition is open to teams of any size. In principle, individuals can also participate, but then they have little chance of winning. For larger competitions, sometimes smaller teams join together to form one large team. Our team currently has about 25 active members. Among them are not only cybersecurity students, but also students from other disciplines, as well as lecturers such as Ben and people who started out in college and have long since gone to work.
You guys are planning another CTF workshop in April. Do you need any prior knowledge to participate?
Julian: Rather no, you should be interested in cybersecurity at best, but if someone develops an interest in this topic through our workshop, all the better.
Sebastian: A certain affinity for computers is certainly an advantage, though.
Ben: There are, or at least there were in the past, actually also CTFs with tasks that didn't have so much to do with cybersecurity. Someone from outside the field could solve those as well. But I have the impression that this has become increasingly rare in recent years and that CTFs are becoming more and more professionalized and also more and more difficult.
How does your workshop work?
Ben: We always plan a whole weekend for it. On Saturday and Sunday morning, there are several 1.5-hour timeslots, half an hour of which is lecture and one hour of which is solving practical tasks. People from the team are then on hand - as far as Corona allows a presence - to answer questions. Sunday afternoon we then divide the group into 5- or 6-person teams and play a first small CTF.
Sebastian: Yeah, that was the moment where you had me. That was super fun.
Julian: I can only agree with that, that's how you convinced me to join about a year ago.
You have come quite far with your team...
Ben: That's right. We were in Abu Dhabi in 2019 and what was even bigger for us: in Las Vegas. We played in the CTF of DEFCON there. That is, I would say, the world champions of these competitions. Absolute Champions League. We were one of 15 teams that were allowed to compete there and had previously qualified at another competition. It wasn't enough to win, but the trip was still great.
Have you set yourselves another goal as a team?
Sebastian: To take part in DEFCON again and then to win would be great, of course.
Ben: If we want to reach the top as a team, we would have to train much harder. In addition to the Attack-Defense-CTFs, which usually last eight to ten hours, there is another type called Jeopardy CTF. Here, instead of several teams playing against each other, everyone plays against a Jeopardy board. These contests often last two, three or even four days at a time. Since I have a family, that's out of the question for me. The same goes for most of the others on the team. If we wanted to compete at the top, we would have to take part. But then we would have to train even harder. But the main purpose is to have fun.
translated by Oliver Schedler
