14 DAY TRIAL // Capture the Flag (CTF) competitions are very important for the IT security community. A handful of people are confident that they can bring the CTF platform to the next level, which is why they’ve launched CTF365.
In order to learn more about CTF365, we’ve reached out for an interview with Marius Corîci, one of the people behind this project.
Softpedia: Please introduce yourself to our readers.
Marius Corîci: I would say I am a lazy entrepreneur who tries to think more in order to do less, preserving energy while providing simplicity. In 2003, I started doing business in the plumbing industry and co-founded ITS Group, a franchise for Romstal Company, the biggest plumbing installations retailer from South-Eastern Europe.
In 2007, I moved into the Artificial Intelligence field and founded Intelligentics, a group for Natural Language Processing. Now, I'm very focused on the world of infosec, and got involved in one of the biggest independent security projects in Romania: Hack-a-server Hackademy and CTF365. More about me.
Softpedia: How did you come up with the idea of launching CTF365?
Marius Corîci: In October 2011, we started the Hack a Server (HaS) Project, a web security testing platform using the power of crowd sourcing.
Hack-a-Server is a two sided marketplace where companies deploy their replica servers and hackers try to find vulnerabilities, report them and get paid for what they love to do most: hack servers, all covered by anonymity and confidentiality.
When we were building HaS we had to come up with a way to create a spin-off in case things were not moving in the direction that we anticipated.
One of the other many ways that HaS was able to be utilized was as a CTF platform. At the time, we didn't think seriously about making an entirely new product from what was the HaS backend but, in time, the idea of creating a brand new approach for CTF competitions began to become almost obsessive.
Softpedia: Tell us a few things about the CTF itself.
Marius Corîci: On CTF365, teams have to protect their web apps/servers and attack others at the same time. Every team's goal is to better protect their apps and servers and/or attack others and get points.
At this time, we score only offensive accomplishments, but in time we'll score defensive accomplishments as well based on an algorithm between uptime/downtime of your server and services, numbers of attack attempts vs successful attacks, among other factors.
On the offensive side of the CTF, things are pretty clear. Once you find a vulnerability and report it, if approved, you'll get points and rank badges depending on skill level or/and vulnerability found.
Softpedia: How is this project different from others?
Marius Corîci: Today’s CTF competitions are great, and can be very diverse in structure. They range from level based competitions and can even include an attack and defense scenario where red teams and blue teams try their best to attack (red) or defend (blue) an established server with services running on it.
Any spectator has to acknowledge and appreciate both the effort and dedication of the teams behind every CTF.
We at CTF365 feel that the current style of CTF has a few but major problems – the way in which they are designed and the way they're held:
* Don't last – Nowadays CTFs last between 24 hours up to few days only – weeks at most. * Remote – Not always can CTFs be held over the Internet, which means the players have to be physically in that room/building. * Scattered – While these competitions occur all over the world, the small scale and length of time of the competitions can serve to cripple the potential of a much larger scale and larger timeline competition * These competitions tend to be largely scenario based with a lot of different restrictions and plenty of rules. * Current CTF competitions tend not to mirror real life in the structure of the servers set up for the competitions.
We, the team behind CTF365, decided that it was time to change the way CTF is designed, as well as the way these competitions are held by bringing a brand new approach to information security challenges while producing gamification at a much larger scale; the largest venue of them all: World Wide.
Our goal is to create a real life Internet replica where security professionals, security students and those with a general interest in information security can get continuous training on real man-made servers and infrastructures; not in some special vulnerable designed servers.
The issue now is that when training information security students, these students learn on vulnerable platforms, and rarely have to actually try more than once to compromise a server or website; we want to change that and provide a real challenge – a safe way to test out “hacking skills” in the real world without consequence.
Softpedia: How many people are contributing to the project?
Marius Corîci: At this moment we have a core group of 6 members, each one with specific tasks. 4 Romanians including myself – the crazy one, Ionut Popovici – "The little one that coaling the fire," Cezar Andrici – The Wonder boy that makes all the front end magic, Ross Simpson, our developer leader from Cape Town, South Africa, and Mike Ringer, our Content Manager and Editor.
Softpedia: How many users have expressed interest in taking part in CTF365?
Marius Corîci: Our landing page shows the real numbers -- it updates every time someone access it. We have 12,000+ registered users and 1,100+ teams all around the world waiting to start.
Softpedia: In the current stage of the project, can anyone register? What must users do to join CTF365?
Marius Corîci: Yes, anyone can register at this moment, however not everybody can be part of Alpha/Beta stage.
Alpha is meant to test the way CTF365 will mimic the real Internet by its users, to find any bugs and vulnerabilities, to see what's going well and what must be improved.
Alpha stage is for information security company representatives, computer security faculty, companies that have information security departments that need continuous training, infosec conferences organizers, CERT/CSIRT as well as any organization who might want to test their platform on live servers with persons who can attempt to exploit them.
Anyone can register now, start to create a team, find their team mates and join our IRC channel.
Softpedia: What about the fees and prices? How much does it cost to sign up?
Marius Corîci: Being in Alpha, the use of the platform is free of charge. When we pass the Beta stage and go live, we'll have price packages to buy virtual credits.
Regarding the price, users/companies will be able to buy virtual credit packages according with their needs and use them as they want, when they want. Below is an example of what goods can be purchased and their virtual credits value.
As customers, we focus on information security companies like security training companies, penetration testing companies, managed security services companies, computer and cyber security faculty to provide security students with real life hacking experience, OWASP, CERT/CSIRT organizations, security conferences organizers, big companies and enterprises that are not primarily information security related that have offensive security or general information security departments as well.
We'll have packages for individuals as well but not until we get the platform established with a strong core membership in the information security field. CTF365 is being developed to be an exemplary training ground for real security professionals, system administrators and students.
Softpedia: What's the status of CTF365? When will the final version be released?
Marius Corîci: Hard to say for sure. If everything goes smoothly, in February 2014 we are projecting to be live.
Softpedia: Is there anything else you want to add?
Marius Corîci: CTF365 is NOT a GAME.
At its core, CTF365 is not a game. It’s a “Training Platform for Security Professionals and the IT Industry” that implements CTF concepts and leverages gamification mechanics to improve retention rate and speed up the learning/training curve.
CTF365 is an Internet within the Internet where users will build their servers and can experiment with simulated real-world services such as microblogging platforms like Twitter, social networks like Facebook or G+, as well as email services like Gmail or Yahoo. The beauty of the entire concept is that we allow users to hack these services and websites at will.
For instance, the real world has GoDaddy for domain registration, right? We have GoGrandpa.365 where users will be able to register their own domain.ctf or domain.365 website.
They can learn new offensive techniques or they can learn defensive security as well in a web development environment. Web developers can train their skills to build safer applications and learn how they can defend their apps from being hacked.
For security professionals and security students, as well as for web developers and system administrators this is the “Garden of Eden,” the mother of all training grounds, because is not a pre-build lab with preconfigured vulnerabilities.
It's like the biggest army training ground or flight simulator where pilots get into tough situations without consequences. Users can hack anything, anywhere with any technique they want, as well as test platforms they feel to be secure against other hackers in order to better secure a product. What more could an information security professional want in a platform?
