CTFs

Show Notes

In this episode of the mnemonic security podcast, Robby is joined by Eirik Nordbø and Marius Kotlarz from Equinor, as well as Haakon Staff from mnemonic.

Together, they discuss the world of Capture the Flag (CTF) competitions, exploring their origins, structure, and benefits. CTFs, as they explain, are “hacking” contests featuring challenges such as cryptography and reverse engineering, where participants solve tasks to uncover "flags" and earn points.

The discussion highlights the educational value of CTFs, particularly in helping developers, pentesters, and other IT professionals refine their skills and master advanced techniques. The group also addresses the logistical challenges of hosting a CTF—such as the Equinor CTF—from infrastructure setup to stress testing, while emphasizing the passion and expertise required to organize a successful event. Finally, they explore how CTFs can serve as a valuable recruitment tool for identifying and attracting top security talent.

Chapters

• 0:03: Benefits of Capture the Flag Competitions
• 11:30: Evolution and Challenges of Eknur CTF
• 21:20: CTF Challenge Creation and Compensation
• 33:44: Building a Successful CTF Initiative

Transcript

Speaker 1: 0:03

From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta. Welcome to the Mnemonic Security Podcast.

Speaker 2: 0:15

Capture the Flag competitions are more than just fun and games. In them, you will find some of the toughest puzzles, quirky exploits, flashing lights and, hopefully, a bar to take the edge off and, by the way, I've never seen a bar with so many energy drinks. When done properly, CTFs can provide concrete learning experiences for advanced topics. They can make security concepts fun and engaging, changing negative perceptions amongst, for example, developers, and are a great way to learn practical tasks that are useful in real-life scenarios. They can also help you to find new friends, land your next job and, if you make one yourself, like the guys you'll soon hear from, did put a smile over 500 people's faces and provide them with an experience they'll never forget. So capture the flag in 2025. And today we'll do that together with the Equinor Pone team I hope that's how you say. Pone Hawkins staff, Marius Kotlers and Eric Nordberg. Welcome to the podcast, Thank you.

Speaker 2: 1:27

You guys are the I want to say the owners, the creators and participants of the legendary Equinor CTF, and my first question for you today is right before you kick it off, you just say capture the flag.

Speaker 1: 1:43

That's actually a good idea, but I've never played Halo so I didn't know about that. But the first blood music we have is from Doom or something, when it says first blood.

Speaker 3: 1:52

Nice, it's from Quake, isn't it Some?

Speaker 2: 1:57

game. So it's just me that thinks of Halo when I hear capture the flag.

Speaker 4: 2:03

No, I mean, I play the Halo series, so I also think about that, but I would say, though, that the music I play are pretty epic though, so I mean it works for me at least Cool.

Speaker 2: 2:13

Good, then I'm not totally off. But who wants to go first? Who are you guys?

Speaker 1: 2:21

I'll go first. My name is, as you said, perfectly pronounced Eirik Knobbe. I work in the Eknor Cyber Defense Center. I've worked in Eknor since I was done with my master's. That was in 2011. I started working in security in 2015-ish and I've been working with security both pen testing and instant response ever since.

Speaker 2: 2:48

Nice. I guess I should ask you what do you call it, your handle, what is your at name?

Speaker 1: 2:55

Yeah, I'm Nordbo, so it's my last name without the Norwegian characters. Okay, okay, nice Marius, okay okay, nice.

Speaker 3: 3:04

Marius, so my name is Marius Kotlars Kotlash, I think. I joined almost two years ago as an incident responder, or actually I switched full-time over to the security testing team, so I work as a pen tester now. I guess that's basically what I do.

Speaker 1: 3:26

You work as a potato as well?

Speaker 3: 3:27

Yeah, I do stuff Potato slash pen tester yes, and my handle it used to be before I joined CTF. It used to be CryptoLush, but then I joined CTF and crypto in CTF isn't the same as the crypto I was used to and I don't know crypto, so I had to remove IPTO from my name or my nick. You demoted yourself.

Speaker 2: 3:51

You're an honest man, at least.

Speaker 1: 3:54

And everyone thought your name was Lars as well.

Speaker 3: 3:56

So like Lars, because it's K-Lars.

Speaker 2: 4:00

I thought the Z was just like a cool thing to do. Add a Z to the end.

Speaker 3: 4:03

But that's actually your name, I thought the Z was just like a cool thing to do. Add a Z to the end, but that's actually your name?

Speaker 2: 4:09

Yeah, basically Cool. And Hakon, what about you? Yeah.

Speaker 4: 4:13

I'm Hakon. As I said, I work in Mnemonic as a pen tester in the department of technical risk services and this year I was one of the lucky participants to join the Equinor CTF. So now I will mostly represent at least try to represent the CTF community and ask questions that we're all wondering about as participants Cool.

Speaker 2: 4:36

So I've been looking forward to this episode, because I know nothing about CTFs. I've been to one before. What is that? It's that one in Finland, disobey, and I was the most useless person in the entire conference. So for people that haven't heard of a CTF, what is a CTF?

Speaker 3: 4:54

So, really basic, it's a hacking competition. You get challenges or tasks within different categories so web, it could be, cryptography it could be. You get a program that you had to reverse engineer, you have to exploit something, you have to find vulnerabilities and the goal in the end is to find a flag. So it's a capture of flag You're supposed to find. A string could be words, it has a specific format and this is the answer to that task or challenge. So you submit that. If it's correct, you get points.

Speaker 2: 5:34

That's basically it nice and that which one was. That was that jeopardy attack of the king of the hill.

Speaker 3: 5:40

That's okay. Yes, so you also have AD attack and defense which is set up that you have different teams have their own network of machines and each machine has either one or more services and, by design, these services are vulnerable. So the goal in attack and defense is to attack these services on other teams, but also so that's the red team part but also kind of patch and protect yeah, defend yourself. So you have attack, you use these vulnerabilities that you found and defend by patching these.

Speaker 1: 6:26

But probably the most fun ones, but it's also the most exhausting one, most stressful and you're. Most demanding. You need a lot of custom tooling and infrastructure to be good at it. So it's a whole different ballgame and I guess King of the Hill isn't much played. It's mostly jeopardy some attacking plans.

Speaker 3: 6:45

So King of the Hill is a much played. It's mostly Jeopardy some attacking plans. So King of the Hill is where you have teams that compete against one machine, like finding vulnerabilities and blocking the other attackers and the longer you are the guy or the team that's owning the machine you get points Cool.

Speaker 2: 7:03

I think I've only seen Jeopardy being played and that shit did not look unstressful. At least there's a lot of stress, people Attack and defense. You guys played Starcraft before. Kind of reminds me of Starcraft. Yeah, it's pretty much Starcraft, fun, fun. Having seen those challenges. Of course, I didn't understand half the shit I was looking at on the screen, right, but just saying, yeah, I could just understand that. Okay, this is actually, even though it's for fun and games, you're getting really good at your jobs. You're getting better at your jobs by doing these things right, especially if you're a pen tester or if you're defending. So this is not. It's actually good for the companies that you're doing this right. Would you agree?

Speaker 1: 7:47

Yeah, absolutely, and I guess there are some split opinions here, especially among pen testers. Some would rather say, oh, it's for kids who don't learn anything, it's just guessy. But our impression is that you learn a lot from CTFs and we have a lot of concrete examples where stuff we learned playing CTF and also more advanced stuff. For example in the InsomniaHack CTF they have really good Windows internal people, so challenges they have made there. We have found the same in, for example, drivers or the Windows internal stuff that we in the first place learned from CTFs and on a more beginner level, just learning about the tooling and how to do easy stuff.

Speaker 1: 8:24

In the beginning, when I was at my first Sense course, I didn't know about the tool and how to do easy stuff. In the beginning, when I was at my first Sense course, I didn't know about the tool Netcat, which is basically just to create the communication channel between a computer or two computers, and I had no idea. So the last challenge there was just to you should extract a database and take the MD5 sum of it and host something like that. At least you have to extract the whole database. I didn't like today I've used two seconds just to pipe it over and at the time I didn't know, because I hadn't that experience Learning just how to operate, how to pop a shell, how to get your shell better, like there's a lot of stuff you learn in CTFs that you use both as a blue and a red teamer.

Speaker 3: 9:05

Yeah and definitely. I just want to add that, as Eirik said, that techniques and stuff I will learn from CTFs which you can't learn at school or in courses. These techniques I've used at work at Pentest to get zero days, so it is like it is something of value, so you can't say Pentests are bullshit. Of course you have challenges or CTFs that aren't the best, that are guessy, that the quality isn't there, but you do have good CTFs as well where you can learn a lot.

Speaker 4: 9:43

I would also like to add that I've never underestimated the value of having fun with the concept, right, Because I actually had the discussion with some developers. I was like, oh my God, security, that's just like a compliance requirement. They shut down our throats and it's so annoying to deal with. And actually we did a CTFs for some of these people and they're like wow, this domain is actually quite fun. I mean, there are actually fun things there, just not something I need to do because my manager tells me to, right. So that's also something I think it's important to mention For sure.

Speaker 2: 10:14

Yeah, so if you're trying to get better at like Windows, whatever internals there's actually like certain CTFs or certain things you could actually go for, that would both have fun and actually teach you something, I guess.

Speaker 1: 10:24

Yeah, absolutely. And even like the more advanced security topics, let's say reverse engineering and starting out doing CTFs, and either doing them while they are alive or just going back in history and finding old challenges and kind of learn from it, it's really, at least for me, a really good way to learn. I don't like to read books and learn that way. I rather like practical tasks, to do something and understand and learn that way. So I guess it depends from people to people, but at least for me it's a really good way to learn. And just last comment on this we on the Econor CTF this year we had a new category which we called the real world, where we had kind of stuff we have found real life. Some of it were even just copy-pasted applications that we hand-tested and we used Merck BTF challenges and I would even argue that most of them are even easier than the medium CTF challenges. So, being a pen tester, it depends on what you're testing, obviously, but it can often be even easier than doing quality CTFs.

Speaker 2: 11:30

You guys all have CTFs on your resumes In your CVs. Do you have a CV? I don't have one.

Speaker 1: 11:36

I haven't worked a job in 15 years.

Speaker 4: 11:41

I have the coins. Well, I can show.

Speaker 1: 11:44

That's totally legit to do. So yeah, if I were to apply for a job, I would probably write something about it, of course, Definitely. And I would say Molly has got this job here because of the CTF.

Speaker 3: 11:57

Thing.

Speaker 1: 11:58

It's no joke, that's how I got the job. It was even hard to get him in because it's well short story long, but we kind of knew him really well through CTFs and that was kind of compared to a job interview that is an hour or two. We kind of knew him for a long time and knew what he was capable of, so it was really easy for us to hire him. Obviously, it's been a really successful hiring hiring for us and he's done a lot of good work for us. So we're super happy having him.

Speaker 2: 12:32

So this is a recruitment thing. You should be taking notes hawkin.

Speaker 4: 12:34

This is how we're gonna find people I I already know and, uh, well aware, but uh, I mean there are, I thought, kind of two segues that we can take from there. I guess both is the CTF community. Right, that is quite strong and there's a lot of benefits in being part of that. But I think maybe we should just start talking about the Eknur CTF in general. I mean, there's so much to dive into there. So I mean, do you guys want to give like an introduction to what it is? Starting with that?

Speaker 1: 13:03

Yeah, like, take the kind of history of it. When we started hiring new people I think it was 2017-18, we were doing a bit CTF, but not much. We weren't kind of playing a lot. But we started creating some CTF channels that we used in recruitment and that kind of randomly, to some extent attracted people, especially one guy. He's from Poland and he wanted to move to Norway and he saw the job and like eh, might be interesting. And then we gave him CTF challenges and he kind of loved it and was like wow, this is the one I want to work here. So then we hired him. We also hired another guy at the same time as Vukash, who is also a CTF player. So, kind of when they joined we were like a small team.

Speaker 1: 13:48

So then we first started playing a bit as Equinor and then more as EPT in 2020. And at some point I think in 2020 or 2021, the beginning we were asked by some group at MTMU if we could host a CTF for them. But then we were really clear that maybe we should do a CTF, but we wanted to be public and just host for 20 people at some student gathering. So we said yes, but we also said at the same time it will be public. So that was our first CHF and it was mostly online. We went to Kronheim, to NTNU, and thought that we could gather some people there. Marius came, he came as a player from Oslo to play. A few other guys from Ygruttoppene came, but that was about it. There was no one on site.

Speaker 1: 14:35

There were more people from EPT than players, but it was mainly an online competition, so there was a lot of people playing online. It was a success. So the next year we wanted to take it up a notch. So then we had like a semi thing where it was 24 hours. We started online but then we came on-site to the Bell in Oslo and then I think we had 130 on-site participants in 2022. And then last year, the final evolution to the format we have today, which is on-site only for a day. Last year we had 270 people in Oslo, but the venue there wasn't more space, so that was kind of my test. And this year we were at the Hub Hotel in Oslo and we had about 500 participants. So that's like the evolution of where we've gone from. And two, when it comes to people and the CTF itself, obviously we have been kind of learning from our mistakes all the time, so hopefully it has been. I guess hopefully we can speak more to it, but it's kind of the experience has accrued for the participants.

Speaker 2: 15:48

Sounds like you're going to need. What is it called? Not Telenor at Emma Emma, but Unity Arena next year.

Speaker 1: 15:53

There is a lot of jokes about it that we're going to be easy on everything, but I think actually that we are now happy with the size of the CTF and we'll probably the next year just keep the same size.

Speaker 4: 16:09

I mean I'm going to try to keep having more people from Mnemonic to join. So I mean we got what? 30 people this year.

Speaker 1: 16:16

So I mean I'm going to try to double that that's a challenge for you guys to at least add some more space. I think we'll just reserve a separate location for Mnemonic.

Speaker 4: 16:26

We can have the building by the side.

Speaker 1: 16:27

It's a bit of a joke, but I think it's really impressive and really cool that so many people from Mnemonic is actually joining. And I know some companies are kind of afraid to play with their name and kind of show how well or how bad they would do it in a CTF, but Mnemonic, yeah, feel like have no fear and show up and show their talent and skills.

Speaker 4: 16:49

So I think for us that's really cool to see that people we had some internal discussions about that actually, and quickly we understood and also because it was clear that we should split up in two teams, right, that we kind of took the and this is like a tip to anyone at the other firms that want to do the same is that just be transparent, that you can create two teams where one is more competitive and one is not, and then you can say that out loud if you want or not. That's depending on how you want to do it. Right, but internally that worked quite well, I think, because then you know the expectations are set already before you start and then yeah, and then the results you know kind of reflect which team you want to be on.

Speaker 1: 17:31

I guess in general, and I think also like showing up playing, yeah, and then the results you know kind of reflect which team you want to be on. I guess in general, and I think also like showing up playing, I give a lot of credit just by doing that, no matter where you end up on the scoreboard just having the guts to do so, and we did have, like, a lot of different companies playing this year. Some with real names, some with fake names.

Speaker 2: 17:50

So when you have this huge 500 boys and girls in a room, what's the infrastructure look like? I mean, I'm just imagining all the plugs you have to have in for all the computers. Tell me more about the infrastructure.

Speaker 1: 18:07

Well, I was kind of depressed when it was telecasted that way, because this year we messed up with the Wi-Fi. We knew obviously, having so many people in such a small area having good Wi-Fi, you need actually a proper setup. And we talked to their vendor a billion times. They were no worries, it's fixed, and back and forth a lot. Then we got a lot of promises. They talked to ISP. We were not allowed to talk to ISP back and forth and in the end we just have to kind of say, okay, we have to trust you guys. But that didn't work at all.

Speaker 2: 18:38

Never trust a sales guy. Exactly.

Speaker 1: 18:42

So next year we have to do something about that, that's for sure Probably bring in kind of table infrastructure. But I think the more interesting infrastructure discussion is what is happening over the backend, with the platform and everything. So that has also evolved a lot. We have a platform I guess you can talk more about Marius but when it comes to infrastructure we're using ADS. This year we had two Kubernetes clusters, one from the platform and one for the challenges. We are building everything with Terraform so we can just spin it up really fast and then tear it down the next day, so we don't have to reuse anything. So that's also really helpful for these kind of environments. And obviously we have a lot of focus on making sure that the platform is secure and the infra is secure and that from one, let's say, you hack into something a challenge, you basically get in there and there's a Kubernetes port and from there you should obviously not be able to reach everything else. So it's been kind of a continuous improvement over several years, the whole infra thing.

Speaker 2: 19:45

Do you guys actually pen test your own?

Speaker 3: 19:49

I guess we did test the platform somewhat last year, but also this year we have tested it in other avenues, I think even it's.

Speaker 1: 20:01

The load testing is the most important testing for us. When there's a billion people pressing F5 at the same time on the access platform, we go down.

Speaker 4: 20:10

I'm wondering about if you ever do stress testing of the systems beforehand and so on, because obviously it's a huge load compared to probably when you set it up, I assume yeah, last year things went down during the start.

Speaker 3: 20:23

I remember I was there. Last year things went down during the start. I remember I was there. So the thing is I did a stress test last year but it was not a proper stress test at all. So this year I did a proper stress test where I tested both the platform so the website and everything, but also it fired up on demand challenges containers, all of the VMs I have PTSD from last year that they were down for a few minutes because I know how annoying a TTF player it is to not have a working infrastructure. So this year we spent at least more time making sure TKF player it is to not have a working infrastructure. So this year we spent at least more time making sure things would run.

Speaker 2: 21:14

I do remember at Disobey that it went down and luckily there was a lot of beer so it was fine. But I guess that's an important part of the infrastructure have a backup plan, a liquid backup plan.

Speaker 1: 21:26

Yeah, and not only one. If you have Malleus, you have like seven backup plans.

Speaker 3: 21:30

I had some backup plans. Yes, I bought new domains. One of them is eptrepair, so it was like I had a backup plan there to we could failover in case.

Speaker 1: 21:46

Malleus didn't trust our distributed backup plan there to we could failover in case. Marius didn't trust our distributed Kubernetes clusters in AWS Trust but there are several souls in the world. He had his own backup and I'm like the one who has to say Marius, this is enough, it's good, now we have enough backup solutions.

Speaker 3: 22:08

We also obviously have GitHub repositories with all the challenges that we can make public if we need to, so that people can access the challenges. Making sure the CTF is a good experience for the participants. Basically, that you can play the CTF and not just sit there and be stuck.

Speaker 1: 22:20

And I guess back to the stress part, like it's just playing a CTF. It's even more stressful to host a CTF, especially when shift hits the fan and something doesn't work and you have to try to concentrate with a billion people around you asking why is it not working? What's going on? So that is all for all the stress. In this world of CTFs, we always say never again For a few days.

Speaker 2: 22:44

Till the next day. Oh shit, you guys are going to get responsibility for resilience in Equinor now too, With all your backup plans.

Speaker 4: 22:52

I must say though, even though, as a participant in last year when there were some issues, and this year when there was some network stuff, still the total impression is that it's so amazing setup, like it's really cool to play and I mean you seem to be quite able to like fix things on the fly or at least give the impression that you have things under control, which I think is the most important part. Right, and yeah, I mean I know that some of my teammates struggle a bit with like network lag and so on, and we had our own access points, which I know understood might have been a part of the issue.

Speaker 1: 23:27

But I mean, taking that into three, like the event was, it was so good, right, I mean I've only heard positive feedback from everyone who competed, right, even though there were some initial things there here and there, like I don't, people don't remember that now, I think we we put, like crazy, a lot of effort into making it a good experience, but also making it look professional, but it's how to say this in a good way like it's, we want it to look professional, but on the back end it's just us yoloing around them but a lot of spaghetti, especially this year, with all the card readers and APIs all over and shooting ranges and walls with a lot of lights that has also challenged it.

Speaker 3: 24:11

I mean, from the participant point of view, it looks like everything is done very professionally and I mean it's DevSecOps profession. Devsecops profession? Yeah, it is, but that's kind of why it works so well With all of this customization that we have at the platform, like the badge, the badges and the cards. We came up with that idea three weeks before the CTF.

Speaker 1: 24:43

I guess like we started planning a long time before DLM, but in the end you're kind of so sold in. Everything you think about is the DLM that melts. Unfortunately, when a lot of the good ideas pop up, it's right at the end.

Speaker 2: 24:59

So it's always hectic. I'm sure you guys were sober when you had all those ideas too.

Speaker 1: 25:02

I mean we were at work though.

Speaker 4: 25:07

No, I'm very curious about the creative process because we are also trying to make now more CTF challenges and so on. I mean, obviously there's a lot of time you can put into creating just one challenge, right? So I mean in the scale that you are creating. So I'm specifically wondering when do you guys start a creative process for, say, the next year event? When are you starting to create challenges? Do you already have some already in mind?

Speaker 1: 25:31

Yeah, we don't have challenges yet. Yes, I guess some has even made Christian. No, he is like the next day. He's like how long am I going to start creating next year's challenges? The day after the CTF? He's relentless. Us, normal people, we start with the talk process, especially about the on-site stuff, because that is really important. It's also about the kind of competitive persons we are. We want to kind of competing about last year's CTF, our own CTF. So we want to make it better every year. So now we have to figure out something really great and amazing that we can do for next year. In August we have some ideas, but they're kind of both involved heavy lifting and money and whatnot.

Speaker 3: 26:15

so we'll see For the creative process. For at least my case, if I come up with something or think about something, I write them down and then I can. When I have to make challenges, I can look at that and see if it's something I want to use, but then I discard it and make something new, for example.

Speaker 1: 26:36

I think all of us, kara we write stuff down throughout the year, but often also I go back and look at what I wrote down like I don't remember what I meant by this. How is this supposed to work? It doesn't make any sense, but I think we try at least, and some are better than others. Kirsten again, he has a whole bankroll of challenges. I think at least ideas that he has. To some people it comes easier than to others, but I know for me at least in the beginning I thought it was really really hard to come up with ideas, but I think it's more like more experience you have and confidence in your abilities to create good challenges, the easier it gets. So when I talk about experience, it's also from a lot of the challenges we made both now and earlier are to some extent based on real-world scenarios, stuff we are actually seeing in the wild.

Speaker 2: 27:30

So I guess, Håkon, don't you go help companies make CTFs for their employees?

Speaker 4: 27:37

No more that we host CTFs for them, but we try to put in the right context of what is the audience right. So, for example, you have developers who are obviously technical skilled but they are not really in, not necessarily in the security domain, right? So maybe you would create challenges Like, for example, we host a full web-based CTF for developers web developers right, and we didn't give them like crypto challenges or reversing because it doesn't make sense yeah but I was also more curious about, because it sounds like you guys are working, taking challenges kind of like throughout the year, but do you have like workshops where you sit down together?

Speaker 4: 28:16

is this part of your job description? Do you get compensated in a way, if I can ask that? I mean, I think that's people are curious about that yes, uh, I don't even know what my job description is to be honest.

Speaker 1: 28:27

It's been working here for so long you know that there is no job description. That's an interesting point. The CTF itself started without, like I think we got an approval, but there wasn't much money back then because it was only online and we just used some resources in AWS and that was kind of fine. And I don't know who is listening to this. But in general I can say that we have more kind of just done stuff and then hopes for approval after Just want to make sure.

Speaker 1: 29:02

For the CPF itself, we have like a business plan. We wrote plan we wrote last year. That was approved. So now it's more official than it ever has been. And for this year I think we'll even actually try to get it into, maybe not to the job descriptions, but at least make sure that Malleus can use X amount of hours or X amount of days a year on this, because that's a problem we have had, that we haven't had it, we haven't spent a lot of working hours on it, but it hasn't kind of been part of all the other things we have to do. So that's one thing that will continue to improve upon.

Speaker 1: 29:38

And when it comes to kind of ept and our ctf thing or general, at some point after we started EBT we also started WIMI and we got prices and sometimes even expensive prices.

Speaker 1: 29:51

And then Equinor said that no, if you got prices you can't keep them, because if you represent Equinor then we have kind of regulations on what you can accept and not accept as gifts, even though it's a competition of skill.

Speaker 1: 30:07

And so then we said, okay, that's fine, maybe we then can get compensated by being allowed to travel to a CTF in Europe and attend and get that covered and our leaders thought that was a good idea. And then it was brought in with HR and they were kind of straight saying that, yeah, that's fine, but if they actually represent Equador while playing, they also have to get paid for playing, and not all the time, obviously. But then we have an agreement that says that on some planned events we get paid by the hour, a maximum number of hours per event and a maximum number of events per year. There's a big steal on that. So it's. It's a cool kind of compensation. But I think for Equinor, the kind of skills we have learned and the networks we have made and the communities we have created make up for it easily when it comes to the money spending side of it.

Speaker 2: 31:08

I mean, just the recruitment aspect of it is super obvious, right, because anybody in that community is like, oh, I would love to work for them, right? And then also the skills gaining yeah, I don't see any downside, honestly.

Speaker 1: 31:22

I think we have a proven, highly capable kind of pen pass spread team and even our kind of more blue people are super skilled. So there's no doubt that just the skills we gain, but I think also the kind of same people who, like the CTF, also likes to kind of pen pass and do well and find bugs and try to find that bug that no one else can also can not have, that mentality really helps in our actual jobs as well. So for Ethenor, we are proud of the teams we have and the skills that are within the team. So yes, it's a win-win. And the most important thing when it comes to why we do this, it'll be also building the communities and for a big company like Ethenor it's really important we do this. I'll be also building the communities.

Speaker 1: 32:05

And for a big company like Eprilor, it's really important for us that, for example, nsm or the police or whoever government companies, or even Mammalny, who is a security consulting company, and all the other companies also have skilled people. So we can help get more people into security and by that get more skilled people into. We can help get more people into security and by that get more skilled people into other companies and other functions in both Norway and the world. That also helps us in the long run because we depend on everyone else. We have a billion suppliers and partners and whatnot. So all in all, we're just super happy that we're allowed. We're really, of course, happy that, like Norway gives us the opportunity to do this and at the same time we kind of help build this security community, especially in Norway, of course.

Speaker 2: 32:51

I had no idea how big a role that CTFs actually play and like, if I was going to, that should be in our job description in mnemonic. Like you have to play CTFs, like you have to show us experience there.

Speaker 4: 33:03

I remember something you said I think it was you, erik during the event. Is that as a joke? I would say, probably that you were like yeah, remember that this is also for the firms that are out there today, that this is also assessment of if you're able to get contracts with us and speak, since we did quite well.

Speaker 1: 33:21

I'm happy to see that that's a requirement, but I think that's kind of funny, right, and maybe something to Obviously a joke, but at the same time we think it's funny that there's a lot of consulting companies that obviously work for us, show up and show their skills. So it's a joke, but at the same time we get kind of respect for people who put in the work and do well, as guys did, obviously. But I just want to say another thing before, so people don't think that we only appreciate CTF players. This is not for everyone and there's a lot of skilled people out there who has never played a CTF or never have kicked. It's not like you have to play CTF to be successful In security, obviously, but for some people it's a really good way to kind of learn and develop and even just to kind of build that community and get an effort.

Speaker 4: 34:10

Absolutely. I mean like a leading question when you guys talk about this. So what are your tips to people like me that wants to start a BELC ETF initiative in my company, because I'm not necessarily the person that has the mandate or the money or the budget right. So what do you tell me? How can I start this?

Speaker 1: 34:35

We didn't have any of those things either when we started. I think it needs to be started based on the joy of playing CETFs and trying to do this. Real corporate will always fail to some extent, I think, because you need the passion, you need the drive and even though we are a company and we get paid to some extent for this, it feels for us, at least the ones who use the most time on this. It's just as much Adduke and others. As we say in Norway, we spend a lot of our spare time creating challenge, setting up infrastructure and everything else that goes into this. So you need those kind of idioskele, as you say in Norwegian, to do the hard work. If you just go in and everyone expects you to just do this in working hours, didn't pay for everything training, challenges and whatnot it's going to be too expensive. You need like a full team doing this 24-7. And I don't think that will ever work. I think you need to find other passionate people and Monomic who also likes this and start paying and having fun and from there start.

Speaker 1: 35:36

Small Processes were just kind of organic. It started by us being motivated to do so because we liked CTFing and we liked posting CTFs and there was never some expectation to get paid or whatever. It's more about having time and all that stuff. So the core of it, I think again, is seeing a lot of corporate CTF stuff and it's a lot of times when they don't have real CTF players organizing it's really bad. Times when they don't have real CTF players organizing it's really bad. Both the challenges and the infrastructure and just their understanding of the game. And if something happens during the CTF that is unforeseen and unfair. The ruling from people who are admins if they haven't played themselves is always horrible.

Speaker 2: 36:21

And then it's even more on everything.

Speaker 1: 36:23

It's shit, kind of. So you need yeah, you need passionate people. Who has played a lot of CTF themselves, that's the most important, I guess.

Speaker 4: 36:31

Marius, you're shaking your head. Do you have any?

Speaker 3: 36:34

no, in terms of people hosting CTFs that don't have experience with CTFs. I'm not going to mention examples, but there was competition examples. But there was competition last year and it ended with the players getting blamed and the players are hacking the infrastructure, breaking everything and basically just it wasn't the hoster's fault, it was the player's fault and they just didn't manage to. They were out of this world. I would say they were on another planet when it comes to hosting CTS.

Speaker 1: 37:06

And also blaming players for it. Yeah, so like blaming players for hacking the infrastructure. Imagine you get 500 hackers in a room. What do you think will happen? Don't want to hack everything. That's the kind of point. So, yes, of course we also say please don't hack our infrastructure, but we expect you to do so anyways, and we won't get mad at you if you do. That's just a guideline.

Speaker 2: 37:26

Isn't there a word for that? Toxic? Isn't there the word toxic? In your culture Doesn't that mean something?

Speaker 1: 37:32

No, but I'm like hackers are going to have to use something and the toxic detoxing. That's kind of sad and stupid. But if we have examples where we have played CTFs and we have hacked the infrastructure ourselves because hackers can hack, so if you have a good example is less experienced organizers that host a binary exploitation challenge on the same server where they host their platform, and then you pop a shell on that phone challenge and then suddenly you see that oh, there's a DB running here and there's a CTFD infrastructure running here, and what if I get those credits and connect to the database and there's all the flags. So we have done that. We've done other stuff that we maybe shouldn't talk about, but it's part of the culture and as long as you don't mess up for everyone else, pretty much everything flies in CTF. So we have a kind of iceberg of CTF tactics. I'm not sure if you've seen it, if you haven't look it up, and I don't think we're up on the bottom layers there. We stay away from those.

Speaker 3: 38:34

I mean, it is a legal, ethical hacking, competition, right, so you do have hackers. It's a venue for it's competitive as hell and it's a venue for people to hack legally instead of doing stuff illegally.

Speaker 1: 38:49

I would argue that if people would hack our infrastructure, we'd obviously appreciate if they told us. For example, when we had the leaked challenges, that's a good example we didn't get angry at the people who tried to solve them without telling us, even though they're actually our friends many of them, we know them really well they didn't tell us. They still tried to get a competitive advantage. Some organizers get mad at stuff like that and say you should have asked the professional and told me I don't like you. But we know as competitors ourselves that we respect that. But again, but if you do something that's just destructive, vdosing or something like that, that's not okay. But when it comes to there's a lot of things we accept in the CTF community that is not accepted in other competitions.

Speaker 4: 39:36

that I would argue a quote from Pirates of the Caribbean comes to mind, from the first movie. It's like rules. Them are more like guidelines.

Speaker 3: 39:44

Anyways, I feel like they're applicable here we should re-nig on the website. Yeah, should be rules, should be guidelines.

Speaker 1: 39:52

It's like with team sites and everything. It's all guidelines.

Speaker 4: 39:58

And then, on the flip side, say you are a person who has you have the money, you have the budget, you have the power, the mandate, have the money, you have the budget, you have the power, the mandate in the company and you want to start up this ETF stuff like what is your message to them? Of course, just get this ill-shader as a call. But how do you go about doing that if you have nothing from scratch?

Speaker 3: 40:19

But I mean, you can't force people either, right?

Speaker 1: 40:22

I know a lot of people have tried exactly that failed to some extent you can obviously you can easily do it.

Speaker 1: 40:30

Then you can host kind of corporate CTFs and kind of play with them and they never played in a CTF before. That you can easily do and give them kind of easy challenges and everything. But if you want to kind of have something bigger and invite more experienced players and kind of try to build your company's reputation upon it, I think you need experienced people. It's not the same like I want to build this cloud for my company. It's just the same that to some extent enterprise software sucks If you try to pampas that it sucks compared to commercial software. It's the same with CTFs.

Speaker 1: 41:06

Enterprise stuff is usually really poor, and that goes for both software and CTFs. And then software examples would be software we use NetModular that only bigger companies use is often the quality of that software is poor, poorly written, but it's something that's open source or it's used by a lot of people and you can download it for free. People will look at it and find bugs and improve it on their ecosystem. But if you have to pay a million dollars just to get your hands on it, obviously not a lot of security. People were able to do so, so they got away with worse stuff. No, it's hard, but I don't have a good answer for you. I would hire Mavius Public and a few other guys.

Speaker 3: 41:49

Yeah, hire some idg-celebrities, hire CDF players.

Speaker 4: 41:55

But that is an honest answer, right. Sometimes that is the solution right. Just get the right people and I guess getting that is difficult but very excited for when you guys open source your solution, I can say that we have something for now that we think will work quite well for our Interesting.

Speaker 1: 42:12

Will it be unsigned or online?

Speaker 4: 42:15

It will be unsigned for a smaller audience. If people want to go there, of course they can do that. Yeah, we're looking forward to it. I mean, by all means you're invited.

Speaker 2: 42:27

We'll put it on the podcast BudgetHawken.

Speaker 4: 42:29

Yeah, oh shit, we are committed, we are now. We are now yeah.

Speaker 2: 42:36

By the way, when is the Equinor CTF next year?

Speaker 1: 42:40

Let's announce that also. We say like, yeah, maybe we're not doing it, but obviously we're going to do it again. So it will be 8th of November at the MUTAS this year. The Hub Hotel in Oslo Put that in my calendar.

Speaker 3: 42:57

We need to agree in regards to registration and get that information out.

Speaker 1: 43:02

Yes, we need to do something about that, because I think there will be more than 500 that want to go, so we need to make it fair somehow.

Speaker 2: 43:10

This podcast may not help that goal of being under 500.

Speaker 4: 43:14

Yeah, I think it needs to look like an extra huge tent or something. Just put it in the square. I don't know, we'll figure something out, but you need more than 500 people. I can tell you that already. We'll see.

Speaker 2: 43:27

Looking forward to that, if you need a bartender or something. I'm not very useful for anything else, but I feel like now I will contribute my time too, where I'm useful In a bar that I've been there before. Let's just go to the bar before.

Speaker 1: 43:41

If we get another venue where, if there's no bartenders, we'll for sure You're going to be a bartender, yeah.

Speaker 2: 43:49

I can do that. Alright, gentlemen, thank you so much. See you around, bye. Well, that's all for today, folks, thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on linkedin or to send us a mail to podcast at mnemonicno. Thank you for listening and we'll see you next time.