Hacking is all about curiosity, exploration, and deeply understanding how something works. Most people who identify as “hackers” are working very hard to protect people and to make technology easier and safer to use. Unfortunately, when most people hear or read about hacking in the news, the story is about people using hacking to do harm, but this couldn’t be further from the truth. Career-wise, people skilled in hacking are highly sought out by companies looking to strengthen their cybersecurity. Computer security experts are in very high demand today, and often are paid six-figure salaries.
CTFs (short for capture the flag) are a type of computer security competition. Contestants are presented with a set of challenges which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories, and when solved, each yields a string (called a flag) which is submitted to an online scoring service. CTFs are a great way to learn a wide array of computer security skills in a safe, legal environment, and are hosted and played by many security groups around the world for fun and practice.
There exist several other well-established highschool computer security competitions, including Cyberpatriot and USCC. These competitions focus primarily on systems administration fundamentals, which are very useful and marketable skills. However, we believe the proper purpose of a high school computer security competition is not only to teach valuable skills, but also to get students interested in and excited about computer science. Defensive competitions are often laborious affairs, and come down to running checklists and executing config scripts. Offense, on the other hand, is heavily focused on exploration and improvisation, and often has elements of play. We believe a competition touching on the offensive elements of computer security is therefore a better vehicle for ‘tech evangelism’ to students in American high schools. Further, we believe that an understanding of offensive techniques is essential for mounting an effective defense, and that the tools-and-configuration focus encountered in defensive competitions does not lead students to ‘know their enemy’ as effectively as teaching them to actively think like an attacker.
picoCTF is an offensively-oriented highschool computer security competition that seeks to generate interest in computer science among highschoolers: teaching them enough about computer security to pique their curiosity, motivating them to explore on their own, and enabling them to better defend their machines.
What will my students need to know?
What is the role of the teacher in this competition?
During the competition, our hope is that teacher sponsors will act primarily in a facilitator role, rather than a mentoring role. But we encourage teachers to help students with picoCTF 2017 in whatever way they see fit.
As a teacher, can I play too?
Absolutely! Everyone is welcome. Only US middle and high school students are eligible for prizes, but we encourage teachers (and others!) to play.
How can I keep track of how my students are doing?
You can have your students show you their progress in the game, or if they give you their username, you’ll be able to see their score on the public scoreboard.
How much time should I allocate? Do students have to work at particular times?
We plan to have a range of challenge difficulties. Students will be able to log in at any time and spend as much or as little time as they like during the two weeks. We also expect to keep the site running after the competition so students can continue learning after the competition is over.
Do student compete individually or in teams?
Each student will register individually. We are working on the ability for students to form teams.
What software do students need?
The competition can be done with just a web browser, but an SSH client (e.g. putty) can be helpful. Students are free to use other tools as well.
I’m still a bit confused…
No problem! Feel free to contact us and we would be happy to clarify anything for you.