It’s been a great honor and pleasure to be part of Legitimate Business Syndicate while hosting DEF CON Capture the Flag for the last five years. Now that DEF CON has announced the selection process for the next DEF CON CTF organizers, it’s time for the next organizers to step up to the plate, take the reins, and mix their metaphors on the way to becoming the new DEF CON Capture the Flag organizers. I hope you’ll find this series of posts useful when building your next Capture the Flag game, or writing a proposal for the big one.
The most important part of running DEF CON CTF is the team you run it with. You have to trust in your other teammates’ skills, because running a complex, multi-challenge CTF alone simply isn’t doable. Before you can organize a CTF, you first must organize a team. This team should have skills with network operations, application operations (devops), forward and reverse engineering of complex networked services, full-stack database-backed web application development, real-time computer graphics, visual design, and more. More than the skills though, team members should be able to explain and share their knowledge. If you’re not cross-training skills among your team, you’re actively harming yourself.
Make sure team members know what they're getting in to. Learn what DEF CON CTF means for them, why DEF CON CTF is special for them, and why they should dedicate years of their life to it.
Naming your group is important! We got a lot of mileage about all the permutations of “Legitimate Business Syndicate.”
You don’t have a team without a way of communicating with the rest of your team. When we started in 2012-2013, we used a private Google Plus group. Since the end of the 2013 CTF season, we’ve used Slack, which you’re almost certainly familiar with. We also have a ton of stuff on Google Drive: meeting notes, material for publication, expenses, etc.
We’ve shared the same gitolite install for the whole time. Infrastructure projects keep to one repo per project, like the ideal “Twelve Factor App.” Challenges tend to live in per-challenge-author repos, because challenges are pretty fluid and git merges can be hard. Lightning and I had a lot of just normal merge conflicts while I was working on the typesetting system for the cLEMENCy manual, and that was enough to knock both of us out of our workflows.
Writing the Proposal
We wrote our proposal basically as soon as we knew what questions we had to answer. Get everyone together in the same room for a whole weekend, a month before the response is due. Seriously. Submit that shit early. DEF CON will forgive some weirdness and inconsistency more than they'll forgive lateness.
Get everyone who’ll help you run the game your first year together and just hash it out over a weekend. Even if there’s a three hour drive involved. If there’s a flight involved. Not even joking. The proposal will be what guides you and advises you for the hardest CTF you’ve ever participated in.
We put 95% of ours together over a single weekend, a month before it was due.
Seriously, Just Fucking Do It, the only thing you have to lose is you not hosting DEF CON CTF.
- Basic Hype Game
- Building Qualifiers
- Building Finals
Thanks Lightning, Murmus, and Zap for proofreading and reviewing.