Everything needs to change with the times while successfully inheriting the legacy that has been accumulated so far. The security contest “SECCON” sponsored by the Japan Network Security Association (JNSA) is no exception. SECCON started in 2012, when the word “CTF” was unfamiliar and needed to be explained in detail, and has been an opportunity to discover and develop security personnel with the participation of top overseas teams. However, after more than 10 years, the IT environment and the situation surrounding security have changed, and now “refactoring” is progressing little by little in terms of both the competition environment and questions.
Top left: Yuto Maeda, Top right: Keita Nomura, Bottom: Hayato Shinjo, who is NG in appearance. At the center of this are young executive committee members, mainly in their 20s. We asked three members, Hayato Shinjo, Yuto Maeda, and Keita Nomura, what they are trying to change and what they are trying to evolve without changing. Rather, has it become easier to go online? SECCON 2020 CTF Q: Due to the influence of the new coronavirus, SECCON in 2020 was held online by combining the qualifying and the finals. What did you struggle with? Shinpo: No, I hadn’t had much trouble because the qualifying was held online so far. Rather, it was held online, and I didn’t have to hold my breath to discuss the issues of the final after the online qualifying as usual, so I was able to afford it mentally.
AMATERAS Thousand ranking display mode
Image courtesy of National Institute of Information and Communications Technology (NICT) Maeda: However, I heard that the score visualization system had some difficulties. Every year, the number of teams that advance to the final tournament is limited to more than 20 teams, but when it comes to online tournaments, dozens of times more teams participate. Also, since the competition format will be Jeopardy format instead of the conventional King of the Hill format, we decided that it would be difficult to use the “NIRVANA Kai SECCON Custom” used for visualization in the past final tournament as it is, and decided that it would be difficult to use the past “NIRVANA Kai SECCON Custom”. I decided to use “AMATERAS Zero” which is based on the visualization system used in “Ghost in the Shell CTF”, a collaboration event between “CTF for GIRLS” and “Ghost in the Shell REALIZE PROJECT”.
A black sphere indicates the problem server.It’s spectacular with the participating teams lined up behind
Image courtesy of: National Institute of Information and Communications Technology (NICT) Nomura: The existing visualization system was implemented depending on the score server used by SECCON, so we devised various ways to connect it to the database. I implemented it a little forcibly in the writing part. In addition to being the first attempt to visualize online CTF, there are some changes on the score server side that have made it late. As a result, it is a reflection that a bug appeared at the beginning of the competition, which bothered the team of the visualization system and the athletes. However, I was able to fix it quickly, and apart from that, I don’t think there will be any particular impact on the online event. CTF Q in the world where the pace of evolution is accelerating, complexity and creativity are increasing: It was said that infrastructure is gradually changing by utilizing the cloud and other means. Is the tendency of questions changing little by little? Maeda: The basic concept is to step out of the unique color of SECCON and aim for the standard of CTF held in the world. SECCON is often referred to as “CTF representing Japan”, but I thought about making it suitable in both name and reality. Nomura: Looking at the CTFs around the world, unlike the old CTFs, we are heading in a more sophisticated direction. Therefore, SECCON has been conscious of catching up with overseas CTFs and aiming for that direction for the past year or two. Maeda: In recent years, the pace of evolution of CTF in the world has been steadily increasing, and it has become more and more difficult. Basically, once a question is asked in some CTF, how to solve it will be released immediately, and I can not give a problem in the same way, but I feel that the cycle is getting faster and faster. It may be the result of increasing attention to CTF and increasing competition, but the speed of evolution of the world is rapidly increasing, and the quality required for problems is increasing. Based on my own experience of participating in various CTFs as a player, I think that SECCON must catch up with it. Q: What kind of problems are popular these days? Maeda: Hmm … I think it’s more correct to say that the concept of fashion itself has faded and you can ask anything. The previous problem was that “There is something suspicious here, so look for the flag” was presented, and many of them were relatively easy to understand, asking how to capture it, but it became more and more complicated. Originality is increasing. It’s not uncommon to have problems where you don’t even know where the clues are. The problem cannot be solved unless we pay attention to everywhere and find out that “this is suspicious” from the really small difference in behavior. If you don’t have a team that can solve that, you can’t rank high. Nomura: In my sense, in the old days, problems were created on the premise that “it would be great if you knew this kind of knowledge” in a trivia manner, but nowadays it’s just a matter of knowing the knowledge or just looking it up. It’s been said that it’s not fun to have a problem like that. Assuming that you know the knowledge, I feel that the emphasis is on puzzle elements, which asks you what to do with it. Maeda: For example, there are needles and threads here, but the threads never pass through the holes in the needles. However, after thinking about what a needle is and what a thread is, if you take out “something” that was in the range you didn’t notice, the thread will pass through well. There is an increasing number of problems that the path to the flag is visible in front of you, but for some reason it doesn’t work, and if you take out something suspicious there, you can solve it, so you need to be creative. To put it the other way around, the questioner is also researching that “when you have this and this, if you bring something like this, you can capture it like this”, and announce the research results and findings. It is a place. I feel like I’m trying to say, “I’ve prepared so far, but can you solve it?” Q: It’s like an academic society that presents research results. Maeda: I think that research can only be achieved by adding something to existing research, but that plus alpha part is something that everyone changes their hands and products. Nomura: A long time ago, at SECCON, there was a problem of reading a partially burned QR code, but that can be solved by using the code correction part of the QR code so that it can be restored. If you take the time to understand the problem of deciphering the flag from the video of the signal. It’s not a problem that directly leads to a flag like that, but a problem that can only be solved by devising a way to bypass some restrictions, I feel like that kind of problem is preferred. I think that the nature of literally “comparing the power of technology” has become stronger. Maeda: It may be said that we are heading toward such a tendency in the process of technological evolution. SECCON 2020 CTF Shinpo, who pursued questions aiming for world-class CTF: In recent years, I think there have been some differences in the way Japanese players and overseas players perceive CTF. SECCON in 2020 has gathered questioning members with the goal of becoming a CTF that players around the world think of and a world-class CTF. In the past SECCON, there were many problems that even people who do not know CTF can solve with time, such as those who worked hard and muddy. However, such a problem that anyone can do is not liked by top players from all over the world. In the first place, spending time is not the main focus of the problem, but the order is that it takes time as a result of properly understanding the problem and vulnerability. Maeda: There is a part that I can understand in the direction of the questions I have asked so far. The starting point is to get Japanese engineers to be widely interested in security and to solve it, so suddenly overseas people who said, “Hey, there is something called SECCON, let’s go out for a while.” You can’t do anything with a tough problem like CTF. In that sense, the problems of SECCON in the past were also valuable, but from the players who have appeared in other overseas tournaments, there was also a bad reputation that it was a time-consuming and annoying problem. Nomura: In that sense, I’ve been thinking about what SECCON should be in the last few years. I have no intention of denying that it is a festival where everyone gathers together, and I personally think that it is good, but in the first place, CTF competes for the strength of its technical capabilities. After all, I think that is the most fundamental part of CTF, and I have shifted the direction of SECCON to a direction where I can enjoy pure technology comparison. Q: How was the feedback from the participants of the 2020 SECCON, which has all the challenging issues? Shinpo: After all, there was a lot of feedback from the Japanese team, saying, “There was no problem to solve.” It may be the result of the definition of CTF in Japan moving in a unique direction. Q: Is it better to have such people participate in “SECCON Beginners”? Maeda: That’s right. However, even with SECCON Beginners, it is said that it is difficult, so how easy it is to solve is a long-standing issue. In Japan, there may be a need for problems that can be solved if you do your best due to cultural background, but as a CTF player, you do not want to solve problems that anyone can solve … After all, you can solve problems that only you can solve. Isn’t the joy of the moment great? I want you to enjoy that kind of joy. Q: What other reactions did you receive? Maeda: The members of the top teams participating in CTFs around the world said, “It was a very good problem.” In 2020, we were able to gather wonderful questioners, and I think we had a good problem with good quality and interestingness.