Google CTF 2023 And How It Almost Backfired
I wanted to introduce a group of students to cybersecurity. They showed passion and willingness to learn.
I thought there would be no better introduction than inviting them to a Capture the Flag (CTF) competition. That way they would get exposed to the field while having a fun experience.
CTFs require teamwork, showcase the diverse requirements (and goals) of cybersecurity, offer hands-on practice, and demand a security research mindset. In fact, many professionals jumpstarted their security careers via CTFs. It can not get any better.
So I went on and registered my team for the very first CTF I saw on CTFtime, one that happened to be run by Google. I thought this is some annual CTF which Google hosts for fun and games. It must be a perfect introductory event for a team of beginners. I registered and invited everyone to join the team.
As I prepared for the event, read writeups and blogposts, I felt that past challenges erred a bit on the difficult side, maybe more than just a bit. I quickly realized this event is not for beginners at all; to the contrary, I realized Google CTF actually was an elite tier competition, hand-crafted annually by Google’s Security team to find cream-of-the-crop security professionals.
To put in context, DEF CON 2022 quals, a prestigious, top-tier CTF, weighs 77.83 on CTFtime; meanwhile, Google CTF of the same year weighed 97.84! This is going to be a disaster.
I was very worried that this experience might discourage the newcomers’ from cybersecurity, perhaps affirm their stereotypical picture of cybersecurity as a complex field, exclusively reserved for a select-few genetically-gifted ultrahumans. I did not want the event to backfire and end up turning them away from the field.
So to avoid the shock, I tried to keep them clear on expectations and objectives of our participation. I told them our primary goal is exposure. We are not in this event to fight for ranks, far from that, I actually do not expect us to be able to solve any challenge. We are in this competition to explore the craziness out there, see what’s up, perhaps learn about new technologies, and pick a skill or two.
The competition ended and results were not unexpected. Our team, over 48 hours, and out of 35 security challenges, managed to solve: one challenge! One that took us almost 8 hours to solve!
As for our fresh members, they actually ended up enjoying the competition. They enjoyed collaborating on different technical problems and it triggered their curiosity to learn more about cybersecurity. They said they enjoyed the CTF format and would like to participate in future, hopefully more friendly, events.
Personally, I attempted over 20 challenges, had a close call with a few, but ultimately reached a dead end in every single one of them. Going through the challenges, I couldn’t help but smile as each challenge’s simplicity sank in: it is clear what the goal is, and I know what I am looking at, yet no matter what I try, nothing works! That is a sign of well-designed CTF; no obfuscation, execution is all what matters. Everything I thought of flew off at a hopeless, rather educational, tangent.
Overall, I think the Google Security team did a spectacular job in this CTF: every single challenge was extremely well-designed, thought-provoking and captivatingly unique. There was no throwaway challenges as in other CTFs; every single challenge was purposefully crafted to look flawless at a distance and barely falter under scrutiny. I can not imagine the time, effort, skillsets and thought process that went into designing some of these challenges. It really was a work of art.
With that said, and I can not emphasize this enough, my advice to all fellow students, whether in cybersecurity or any other field is: Compete. Find a highly-regarded competition in your area of interest and participate in it. Perform poorly, once, twice… Perform poorly as many times as you can until you do not. You will learn so much. Competing is inherently rough and disheartening; but it is how you build grit, fortitude and eliminate biases. It also helps you stay grounded and accelerate your technical and mental maturing.
Setting yourself against other talented, ruthless professionals saves you from the comfy bubble of “lone wolf studying”. A deceiving bubble that can lift you really high, inflate your confidence, before bursting and leaving you broken. Throw yourself out there, and just like our little team, start competing!