Hacker News new | ask | show | jobs
by tester756 1430 days ago
Imma use that opportunity and ask

Are skills of military/state-level actors comparable with CTF people?

Or they're mostly focused on different things, so it's tricky to compare those things?

I'm asking because it feels like at the end of the day all of those groups search for 0days
3 comments
gynvael 1430 days ago
There is some overlap, but only some.

In general CTF problems are limited in the sense that they need to be solvable withing the tournament time frame (usually 48h), and also the process is simpler - you don't have to be quiet, you grab the flag and that's it; no need to think beyond that point (i.e. no need to worry about backdooring, C2, hiding the traffic, lateral movement, detection, etc).

Also CTF problems might be super specific, to the extent of being unlikely to be encountered in a real world. The real world is a bit different - a lot of systems have same old boring issues. On the flip side when dealing with 0-days in stuff like modern browsers you are likely to exceed the level of complexity of even top CTF pwn challenges - mostly due to the aforementioned time constrain in CTFs.

That said, a lot of technical skills would be transferable between both areas. Regardless which way one would switch, there would still be a decent amount of learning (e.g. learning the CTF metagame, learning to think beyond getting a shell).

link
tester756 1430 days ago
Thank you
link
saagarjha 1430 days ago
CTF challenges typically do not involve zero days as their intended solution, due to time constraints. Often they will inject a vulnerability into e.g. Chromium by patching it in a way that might approximate a real bug, then hand you the patch so you save the weeks, months it takes to find stuff like this normally. So from there it becomes purely a test of being able to exploit the bug, although still your constraints are a bit different as you can be loud and only really need to succeed once when an actual state-level actor will want something better than that. But again, this is a result of time constraints.
link
gynvael 1430 days ago
This is true, though I need to add the missing phrase - "CTF challenges typically do not involve zero days" in real world software.

They do however strictly involve zero days in software created for the purpose of the CTF - that's basically what CTFs are about.

link
saagarjha 1429 days ago
Fair enough, although I would argue that a zero day in a menu-based heap massaging challenge is not really all that interesting :P
link
gynvael 1428 days ago
Not saying it's interesting (in the terms of a real world application), but it technically is an 0-day ;)
link
ajolly 1430 days ago
Also a lot of the time they are they can be the same people. Just one set of targets for your day job, one set of targets for fun at the CTF. (and the ctf challenges are probably easier)!
link