CCSF_HACKERS History

Purpose

I was asked to write about CCSF's participation in cybercompetitions, so it can be explained to employers and college committees, who are often outside the infosec commmunity and don't understand them.

Cybercompetitions

Games, contests, and Capture The Flag (CTF) competitions are very important in hacking culture, and a very popular way for hackers at all skill levels to learn and teach. Most competitions are offensive and aimed at penetration testers, who break into systems, defeating security barriers such as passwords and encryption. A few of them are defensive, testing a team's ability to resist such attacks.

The most common form of competition is open, online Jeopardy-style, with a series of challenges available online. They operate with very few rules, no restrictions on who can compete, and no limit to team sizes. These competitions are the most popular, because anyone can join, at any skill level, without any restrictions or risks. Participants don't even need to risk humiliation, since they can compete with an anonymous account.

The most exclusive, expensive, and restricted competitions are the ones that require physical presence at a competition location, entrance fees, and sometimes proof of full-time enrollment in an appropriate college program. The most famous and advanced CTF of that type is the DEF CON CTF, which is far too difficult for any academic team I know of. The main college-oriented competions of that type are the Collegiate Cyberdefense Competition (CCDC) and the Collegiate Penetration Testing Competition (CPTC). Only college teams can participate in them, so they remain within reach for the skill levels of college students.

A major issue in cybersecurity is that the skill level required for top-level professional work far exceeds the level of college training programs. All undergraduate colleges currently do is teach students the fundamentals of computing, networking, and security, and a basic level of skills with a few popular tools. Students need to learn advanced topics on the job, or at expensive, specialized training programs such as SANS classes. Every leading college security program I know of is constantly struggling to keep up the progress in the field, and remains many years behind industry standards. This problem is very difficult to resolve. Colleges seem unable to adapt quickly enough to keep up. The fundamental problem is a culture clash between the ponderous, dignified, orderly, and bureaucratic college environment and the freewheeling, brilliant chaos of hackers.

CCSF_HACKERS

In 2008, I started working alone on the DEF CON CTF qualifier, the free, open, online event that qualifies teams to compete at the DEF CON CTF. I learned that it was out of reach for me and for my students, like getting into a boxing ring with Muhammed Ali. It teaches humility, but not much else. Rather than throw my students into that experience, I sought easier contests.

We started doing online CTFs in 2013 or so. My most advanced student, @the_fire_dog, and I were often the only team members.

By 2015, we had an energetic hacking club and competed in several online CTFs, with encouraging results, as shown below.

CPTC

In 2016, CCSF_HACKERS competed at Rochester in the CPTC.

We did not place in the top three teams, but we won a $600 prize and an award for "creative use of technology in the area of healthcare" sponsored by the IEEE.

In October, 2017, CCSF won second place in the CPTC Western Regional, second only to Stanford. We defeated UC Berkeley, CSU Dominguez Hills, San Jose State U, and other large colleges.

We competed in the CPTC finals in Rochester in November 2017, but we did not make it into the top three teams this time, either. The team was not discouraged, however, but remained focused on improving our performance next time.

CCDC

In 2016-17, we competed in the Western Regional CCDC. We did not qualify to go to the face-to-face event in Sonoma, but we weren't in last place, which was our captain's goal. That was realistic, because we discovered that there is a lot of lore required to be competitive and there's no way to learn it except to start competing.

In 2017-18, we competed for the second time. We hit our peak in the January, 2018, Invitational where we scored #1, defeating all the other teams, including Stanford!

However, we did not qualify in the January, 2018 qualifier held a few weeks later, so that ended our season this time. We are rapidly improving in all these competitions, but they are tough, and we cannot expect to get to the top without years of hard work.

Other Recent Competitions

We continue to compete in many online contests, including CSAW from NYU and EasyCTF. This year, we competed in RUSecure for the first time, coming in #18 out of 88 teams.

In April, 2018, we competed in TORO.CTF, at CSU Dominguez Hills, and won 3rd place!

Future Plans

We now have a regular class to prepare students for competitions: CNIT 140. We practice steadily, using online training environments and competitions, and the best students get onto the teams for CCDC and CPTC, which are the peak events for us.

The competitions are very important, because they expose student to the latest topics, often going beyond our class offerings, and help them to meet employers and demononstrate their skills. Many students have gotten job offers from CTF event sponsors, and sometimes from company representatives we defeated.

Job Placements

I was asked to list the companies our students have gotten jobs at. Here are the ones I know of:

NASA Ames
Google
Zendesk
UCSF Med Center
Lawrence Berkeley Labs
Mission Bit
OpenDNS
Cloudflare

Posted 4-9-18 by Sam Bowne
Jobs added 5:54 pm 4-9-18

Sam Bowne