Shostack + Friends Blog Archive


Capture The Flag Too Boring?

Max Dornsief complains that “Capture the Flag is getting somewhat boring.” That’s too bad, so with all due haste, here are some suggestions:

  • Capture the Business:
    …is a slight variation on the Ghetto Hackers game. The Ghetto hackers were all about simulating a real business, with its need for uptime. In capture the business, teams offer to re-build a more defensible and operable infrastructure for real local businesses, and attackers agree to attack only at set times. Points are taken away for each human and computer added to the system. (The “Ghetto Hackers Game” is described in “Defcon Capture the Flag: Defending Vulnerable Code from Intense Attack.” (PDF))
  • Capture The Fed:
    …is a game much like capture the flag, only with the “participation” of one or more government departments. The game proceeds in a public oversight fashion, ideally against a government department with lots of juicy data, like the tax collectors. Points are awarded for access and having no criminal record one year on.

    In a variation, the government department agrees to be attacked.

  • Capture the Vuln:
    Teams compete to write fully automated tools that find and report vulnerabilities soundly, and without false positives.
  • Finally, Capture the Flag Factory:
    Teams compete to produce the best capture the flag game kit, with flexible and reusable components which can be used to organize fun, effective games with new vulnerabilities and new rules with a minimum of efforts.