If you’ve been to DEF CON or any number of other technical hacker conferences, you’re familiar with Capture the Flag contests. These events pit teams of hackers and researchers against each other in a series of challenges until a winner is determined.
Capture the Flag is also a valuable teaching tool, providing some with hands-on reverse-engineering or crypto experience, for example. Gulshan Singh, a software engineer on Facebook’s threat infrastructure team, is a familiar face at DEF CON as part of the international Samurai team. While at the University of Michigan, a teaching assistant proposed Singh try his hand at CTFs to gain some practical experience that textbook learning did not provide. That experience at UM laid the foundation for him to eventually land on the Facebook security team in 2015, he said.
“I learned about RSA encryption in my computer science courses, but CTFs taught me how to break it when it wasn’t properly implemented, which happens all the time in the real world,” Singh wrote today in announcing that Facebook has released its Capture the Flag platform for free on GitHub. “It’s a lot of fun to learn this offensive side of security, but at the same time learning about these flaws makes you a better defender as well.”
The free availability of the Facebook platform fills a gap since few are readily available, and to build one from scratch requires money and resources that many do not have, especially students, educational institutions and non-profits.
The Facebook platform includes all the backend requirements for running a CTF contest, including game maps, team registration and scoring, Singh said. The game also comes with challenges that include reverse-engineering, forensics, web application security, cryptography and binary exploitation. There are also means by which users can build custom competitions.
“By open sourcing our platform, schools, student groups, and organizations across all skill levels can now host competitions, practice sessions, and conferences of their own to teach computer science and security skills,” Singh said. “We’re also releasing a small repository of challenges that can be used immediately upon request (to prevent cheating).”
Facebook has been generous with its in-house security tools, moving a number of them to open source via GitHub. In 2014, Facebook made osquery freely available; the framework acts as an intrusion detection system and allows users to write SQL-based queries to explore trouble spots in the operating system. Earlier that year, Facebook also released its Conceal Java crypto libraries for Android, which handles encryption for removable SD cards, removing potential performance issues while securing data stored on the medium.