Saturday, March 9, 2024

Oh why. CTF Dramas.

Hmm..This will be my first time publishing non-tech related just to clear up the dramas from the local cybersecurity scene. I'll try to answer each of them in chronologies, mentioning friends' names (some will be redacted) and screenshots as proof.

Why I attended RAWSEC RENTAS

  • This is for sure a sign of support for their commitment to organise cybersecurity events in Malaysia. I've reposted the event's details, like (thumbs up) the posts that they shared in Linkedin and other social medias.

  • Do I really want to go there? Not really. The reason is the place is too far from my home. I need to spend ~RM100+ to travel there. However, my friend Sr****n said he would be there to listen to the talks. Also, there will be many friends from M53 and MCC alumni will participate in the CTF. Taking advantage of that, considering fasting month is coming soon, I decided let's go and have a gathering too. See below and check the dates.

Done. Next:

"Ok je" comment.

  • Correct. I agreed that I said "ok je" which I still stand on my opinion for that. Nothing is wrong with the CTF at RENTAS. But please dont twist too much in here. That's the only comment I gave and when RAWSEC's crew, Sh****l wanted to gather more opinion I was ready. We were at the round table in the hall, and he brought his Macbook which I assumed he wanted to take note of my further opinions. But none of that happened. Why? Because my friend, Sr****n, who also was a co-worker of Sh****l came to the table and we started talking about other stuff while listening to the first talk about DevSecOops. Then came another friend which also a RAWSEC's crew, E**a, and the conversation about other topics kept going until the first talk finished. Then it was a quick break. During this time, me, Sr****n and three other friends decided to see the CTF which was held at a different building, 1km from the hall. Sr****n decided to walk there, I followed. 
  • End. I hope the person who tweeted this, could ask Sh****l for further clarification. Sr****n was there too, feel free to ask him as well if needed.

Why "Ok je"

  • Ok je = acceptable. During the pre-qualification round, RAWSEC posted a poll on Linkedin and I voted as "Below expectation". At that time, yes I stand with that decision, it was "Below expectation" due to the comments and complaints I saw in chats about the questions by the participants (from M53 and MCC members). I received a message from someone stating that, RAWSEC members were quite upset with it.

  • On what justifications? Because as also a CTF organiser and player, I'm expecting a good challenge from the RENTAS organiser. When I say good, it means not too many guessy challenges, clear questions, and no trolls. Check the chat logs from the participants below:

  • In fact, me and friends keep educating others who would organiser CTF to not do trolls or guessy (read stega) challenges anymore. We shared the presentation about it at a few local cybersecurity conferences:

  • So were all of the questions guessy? No, of course. Some of them were good. Kudos to the challenge's creator(s)

  • and, you Mr Rydenz, at the end of the pre-qualification told to the participants that the CTF is for students and for fun! Dont compare with Defcon or BH. OK! That's a good reason.

  • With all of these, I agree that the CTF  was "Ok je" a.k.a acceptable if that's the goal. Nothing else. Not comparing with other CTF etc.

The retweet drama

  • I learned about the tweets from yondie and trailblazer when I was at the RENTAS venue, if I'm not mistaken around 2-3PM. It was told by other friends who recently arrived there. As an open-minded person, I also of course agreed with their opinions! Why? Do research on who are these two persons. They have vast experience in handling CTF, and won CTF local and global when they were a student and even after they graduated. Their passion can't be compared with someone like me who are still not as good as them! Can't I agree with them? The dramas have been circulated around the community, and of course, people who want to voice out their opinions will do so.
  • The real question is, WHY THE F I'M THE ONE WHO NEED TO TAKE THE RESPONSIBILITY OF OTHER F OPINIONS?! Check the number of people who retweeted and liked their status.

Constructive feedback?

  • I'm open to giving constructive opinions based on research, data, and experience I had when organising, playing, learning, and observing CTFs. But first I want to let the organiser do what they are doing. I can't put my opinions on others' events. That's their hard work and I should respect that. Especially when I heard many of the participants' opinions were straight away rejected by the organiser, I decided, to stay quiet.
  • However, Mr Rydenz keeps forcing me to give opinions and I hope the below constructive feedback will be accepted.

Pre-qual writeups judging:

  • Good catch on the abnormal writeups by the teams your team identified. I would also put these writeups in my "suspicious" list. 
  • The not-so-good action here is the rush decision made by the judges. Directly disqualifying them without further investigations and interviewing them would likely make your decision may be wrong.
  • When I heard about the teams who were disqualified, I asked for their writeups. I read them. I asked them what reasons they were disqualified. Fair comments from the judges. However, innocent until proven guilty. The next step the judges should take consideration before deciding should disqualifiying them are:
    • Their situation. Pre-qual was taking place on weekdays. They are students. Some might have classes, exams or some might be in their internship sorting their workloads. 
    • There is a likelihood of them rushing to submit them without revisiting the writeups again after a sleepless night.
    • Is it their fault for being clumsy? Correct. But we need to have empathy. Be in their shoes. Otherwise, our wrong decision might miss a good talent.
    • Judges can not to announce the results yet. Those teams with similar "abnormal" cases, can be reviewed again by having simultaneous video interviews without them knowing the reason for the interview. Send an invitation to their team, and do the interview at the same time, with different people. You are likely to have many judges, ask each of the judges to pick which team and conduct the interview at the same time to avoid they again, cheating.
    • Compare their "abnormal" flag submission timestamp
    • Compare their normal flags submission timestamp. 
    • Look if there's anything that abnormal with the submissions which can hint you they are sharing flags.
    • Remember, sharing flags requires two teams at least. Provider and the receiver. 
    • If proven with solid proof, disqualify.
    • If cant be proven with solid information, you can either deduct the points of where the "abnormal" questions, penalty, or vote among the judges to disqualify them or not.

Unclear information and misleading in the question itself

  • Some challenges were added into categories that did not fit with how to solve it
  • Some challenges were provided with guessing questions
  • Too much trolls and rabbit holes
  • An example is the Mobile DFIR challenge.

  • The title could be replaced with "Tampered Mobile DFIR Report" which means the participant can understand they need to focus on the report itself instead of looking the Mobile's RAW extracted from a device which is generally being used for Mobile Forensic. 
  • Here are some examples, checkout how the question is being used:
  • The description above could be better misleading with "the data has tampered", but replaced with "the report has been stolen and someone tampered with the details". Clear and precise.

Do not jump to conclusions immediately

  • For every feedback received, do not respond to it immediately. Instead, discuss with your team first before replied them to ensure everyone agrees with it first. 
  • Do not be defensive. There are ways how to positively respond to an upset comment from participants.

No areas at the onsite CTF

  • Me and friends were there to visit the finalists as a moral support. It is common for every onsite CTF to have an area that will be reserved for visitors to observe.
  • At least, if the room can't be entered at all, screen the scoreboard outside where visitors can see. That's the only entertainment they have. To make it more interesting, one or two of your team members could be commentators to describe what is happening from the judges' dashboard, without disclosing hints or hidden contents.

Okay. I have enough dramas to entertain already. I need to take my bus back to my home. All the best, I hope you can accept the opinions given in this post and also for the participants who read this, give real feedback. Stop being a "humble-politician". Otherwise, the CTF scene in Malaysia will not get better.