Uncategorized

Why am I retiring from CTFs?

I’ve talked a lot about how I no longer do “fuzzy mentorship.” (If you haven’t heard the term, it’s generally seen as mentorship that focuses mostly on vague things like good vibes and is endeavored upon mostly for reasons of publicity. I’ve got no more energy for all… that.)

I’d rather do sponsorship: targeted acts of promoting and providing opportunity that allows me to put my influence behind young and/or midcareer women of color. Writing a recommendation, referring for a job, setting up a meeting, and responding to specific questions are some of those very targeted actions that can make a difference.

Here’s how that’s currently manifesting in my life and career in a way that tries to help others.

I’m about to retire, as it were, from competitive Capture the Flag (CTF) hacking competitions. After 5 years of competing within the SANS NetWars circuit, I and my team — NullCastleException — won the international Tournament of Champions in December 2021. My teammates David (@chebuzz) Carlson, Christopher (@tcpsub13eq0x02) Miller, Szymon (@szymex73) Borecki, and fable were supportive and amazing!

The SANS Institute has made some really awesome trophies over the years!

I have been doing CTFs seriously for about ten years, and cannot think of a better way to improve your skills in information security while making great connections and adding lines to your resume than by participating in CTFs. It’s how you can gain experience, face problems that aren’t discussed in textbooks, and try exploits against real-world systems that aren’t just in your sterile sandbox or your company’s lab. I have loved doing this ever since I and my long-time collaborator and good friend Liz (@tanglisha) were on the winning team in LosT’s Mystery Challenge at DEF CON a decade ago.

Left: Tanglisha at DEF CON 20. Right: me and LosTboY at DEF CON 20.

That’s me and Liz with our team’s trophy and our black badges. Since that DEF CON, we kept going in competitions and have had a total blast.

This is us at DefendCon in 2019 where we won the OpenCTF.

We won the OpenCTF at DefendCon in 2019, too. 🙂

There are lots of CTF teams that have highly skilled members but which can also use someone who’s more junior or even differently-skilled. Someone who will simply show up, do the research, and support the team. Do not dismiss this possibility if you are considering where you might find a place in the competitive hacking arena and you’re a bit nervous about whether your skills are enough.

NOTE: It’s sadly also true that many CTF teams somehow mysteriously manage to leave the junior women off the podium or snatch the trophies back when they win something, and later “explain” that as a junior member of the team they were just there as a support, not a real or full team member. I and other women have personally experienced that injustice and there are some horrible missing stairs in the CTF world. However, I also know several excellent CTF teams that treat people with respect and would never do that, and I would love to very specifically connect midcareer women of color to a few of those teams where you’ll get a shot to listen, learn, really participate, and eventually form additional teams. Yes, this is a lot of work, but it’s the single best way I’ve seen for women and BIPOC to be seen as “truly technical” in the field.

Besides, this kind of competition is really, really fun!

DefendCon OpenCTF, 2019

I can’t even describe how much I’ve enjoyed CTFs. The experiences I’ve had at SANS during their NetWars competitions have, on average, been the best. Event architects Tom Hessman, Jeff McJunkin, & Ed Skoudis have been amazing at running the competitions, getting new people unstuck, and challenging veteran players. Our team NetWarsAndChill had a whole holiday decor theme happening at the SANS Tournament Of Champions in DC in 2019.

SANS NetWars Tournament of Champions, December 2019
Team NetwarsAndChill at SANS NetWars Tournament of Champions, December 2019
SANS NetWars Tournament of Champions, December 2019
Team NetwarsAnd Chill at SANS NetWars Tournament of Champions, December 2019
Team NetwarsAndChill at SANS NetWars Tournament of Champions, December 2019

When women and POC interview for technical roles, there is often a person advocating for them. Give that individual a weapon to use on your behalf. “We took third place in my local BSides Open CTF in 2021,” is a two-handed flaming broadsword in the hands of a recruiter trying to get you into a security research or SOC analyst job opening. It says you’re participating in the community, that you believe in teamwork, that you put the effort in, and that you’re connected with similarly enthusiastic colleagues already.

Let this be a way for you to stand out among the hundred other people who are interviewing!

I must emphasize: if you’re afraid you’ll expose your total ignorance, know that I have been on lots of CTF teams, and I — along with nearly everyone else whose sat next to me at the competition tables — constantly struggle with that same fear. We cope with it by being open about what we don’t know and by being generous with teaching people what we do know. These are the friends and colleagues I’ve had with me through this experience and I’m grateful for each and every one of them.

Of course I love my NetWarsAndChill team, including amazing people like Mike Downing and Jacen Kohler! I had great experiences competing with other veteran and respected CTFers like Mike Dee (@mikedee_hacker), Matt (@pseudosec) Kalinowski and ants (@DarkBerryBash), and they’re welcoming to n00bs. The buddy system works, and everyone I’ve named in this post is open and willing to help, advise, and maybe even compete with you!

I’ve been doing this for a decade. It’s time to both pass the torch and move on to sponsoring the next set of amazing competitors. If this avenue of potential opportunity appeals to you, let me know. I have a private list and Signal group of resources, people, and mentors who like introducing people to CTFs. Many of these individuals and teams are explicitly interested in diverse voices and new faces, because they recognize that a team which represents multiple perspectives and backgrounds will always be stronger and more capable than a team whose players are all monolithic and identical.

If you don’t know how to reach me, go find one of my email addresses. That is your first flag to capture. 😉

Good luck!

Leave a Reply