Andrew Wesie / @zoaedk
Over the past decade, cyber security competitions have grown to match, and often exceed, the challenges of real-world hacking. As members of Plaid Parliament of Pwning, a capture the flag team, we have experienced this first-hand and contribute with our own competition, PlaidCTF. While it was once possible to compete with a basic knowledge of assembly and reverse engineering, it is now expected that everyone can invent new heap exploitation methodologies on-the-fly and reverse heavily obfuscated binaries. This keeps the competitions interesting for those of us who have competed for years, but it also risks demoralizing those who want to learn and still have fun.
While CTFs have been evolving, new competition formats, such as Pwn2Own and HackerOne, provide a completely different vision. The thrill of exploiting real software, with the bonus of a monetary reward, can excite those who have deemed CTF as a waste of time. Why analyze and exploit toy programs when vulnerable real world programs are plentiful?
We believe that having this variety of competitions is a good thing. During this talk, we will review the recent history of both CTF and Pwn2Own-style competitions, along with our experiences and how we think they can fit together. We hope everyone will walk away with an appreciation for these competitions, and vision for how they will continue to evolve for the next decade.
Andrew Wesie is a security researcher at Theori, specializing in exploitation and reverse engineering. He is also an avid CTF player with four wins at DEFCON CTF finals as part of Plaid Parliament of Pwning (PPP). When he is not hacking browsers or playing CTFs, he is developing software-defined radio applications and contributing to the Wine project.