The minds behind the Reply Cyber Security Challenge 🧠

You are one of the CTF Challenge creators. What is it about? [Riccardo]

CTF (capture the flag) is a mix of challenges that requires deep technical skills in order to complete them. There are 2 types of CTF: jeopardy and attack/defence. Reply’s CTF was jeopardy-style.

  • Jeopardy CTFs consists in trying to solve challenges of different difficulties about specific categories like reverse engineering, cryptography, web security. To solve the challenge, it is required to find a string, called flag. 🚩
  • Attack/Defence CTFs, as suggested by the name, require different skills because participants have to attack other teams’ servers while protecting their own machines from being hacked. Depending on the nature of the particular CTF game, teams may either be attempting to take an opponent’s flag from their machine or to plant their own flag on their opponent’s machine.

What is the plot of the story of this CTF edition [Cecilia]

The main (and only) character is R-Boy, a young man 👦 💗️💻, passionate about security. He dreams of being part of the Keen Minds, a group of security experts. To realise his dream, he trains hard every day, playing challenges, increasing his skills and studying.

One day during a training session, he accidentally intercepts an encrypted message about a group of rebels planning a major cyber-attack. This could be a disaster for the whole of humanity, of course our R-Boy needs to do something 😉

The message he intercepted was missing vital information. The players’ goal is to solve the various challenges in order to help him reveal the rebel plan, prevent the attack, and save the 🌎!

Why does it take 24h or more to complete a CTF Challenge? [Salvatore]

Unfortunately, there is no standard rule or formula to calculate the correct duration of a CTF competition.

The organisers have to tuneup the CTF duration according to a series of parameters such as the different categories, the number of challenges for category, the intrinsic difficulty of each challenge and, last but not least, the maximum number of players for each team, trying to find the correct balance between the CTF duration and these parameters.

Reply CTF was comprised of 25 challenges divided into 5 categories. Each team was composed by 4 players at most. The challenges’ difficulty was not so high, so everyone could have a good time playing the CTF 😁

With all these aspects in mind, we chose to set a total duration of 24 hours 🕑for the challenges resolution, plus another day to allow the participants to send us their write-up for each of the resolved challenges.

What are the main differences between a Reply CTF and DEFCON CTF? [Mauro]

DEFCON is probably the world’s largest hacking convention and one of the most difficult CTF out there. Comparing to DEFCON, Reply CTF was in its first edition and target a much lower lever audience in terms of competence and skills, focusing specifically to students and possible future Replyers 😉

From a technical point of view, both Reply CTF and DEFCON can be considered as Jeopardy-style CTFs, while DEFCON finals typically involve an attack/defence format ⚔️, where participants have to attack other teams’ servers while protecting their own machines from being hacked.

What are the difficulties you can meet as an organiser during the challenge? [Riccardo]

I would say there are three main issues to deal with.

1️. Reply’s CTF had 5 levels for each category ordered by difficulty. It is not easy to calibrate the challenges’ difficulty. If you know the challenge, it may look too easy for you and you could add too many hints in the challenge. It is important that other organisers test others’ challenges and test if it works fine and also it is tough enough.

2. The second issue is the hardening of platform and servers. You have to deal with skilled and smart participants with experience in cybersecurity. 😏Some of them will try to attack the platform just for fun and to avoid a bad reputation and ensure a good experience for other participants, it is important to make the whole infrastructure robust and secure.

3. Third, during the CTF, participants try to attack the platform in several ways and it is important to keep track on everything and in case ban IPs or accounts that violates the rules. 🚫 To do this it is required to keep always someone in charge of looking for suspicious activities. It happened and we had to deal with these misbehaviours.

Watch the interview!

Your ✌️cents for the student that would like to become a cyber-security expert and prepare for a CTF. [Riccardo]

If you are studying computer science/engineering at the university you should check for local CTF teams and join them. 👨‍👨‍👧‍👧

It is important to have a solid background in computer network, computer security and a big passion and motivation to learn from other people and by yourself.

On Internet it is full of write-ups about old CTFs’ solutions. You can start by reading them and also participate to some easier CTF events.

➡️ CTFTime is a good starting point.

There you can find future and past CTFs with solutions made by other teams.

Why a student should join Reply in one line? 🏃[Riccardo]

As you can see here at Reply we do events outside our regular job.

This is a good point in my opinion since you have the chance to learn new things you don’t usually do during work and it is a good way to strength friendship with other Replyers and having fun.

Reply organises also other social events during the year, free English courses, daily trips every month and several internal courses about trending topics, not necessarily related to your job. 😉

I would say Reply cares about the human part and not just about the profit.

They cover tons of different fields of IT, from cybersecurity to video games, from web development to 3D printing, so if you are searching an IT job probably you can find it at Reply (and they are eager of new talents)!