Offline CTFs could also incorporate physical security challenges, like lockpicking
replyI do like the idea of escape the room games becoming the cybersecurity employable competition meta
replydeleted
replyThe recent LakeCTF onsite finals had exactly that. LLM usage was forbidden (but players still used their own devices) and there were real-life challenges such as lockpicking as well. I’m part of the organizer team and what we’ve heard so far from participants was that it was really enjoyable not to have any LLM help because suddenly the actual skill and thrill when solving a challenge mattered again. I think what helped in this case as well was that the prizes weren’t high-value enough to incentivize cheating but that participating in the event itself and the social aspect around it are the main point.
replyThey often do
replyCtfs need preparation and unconstrained internet, even if you block domains it’s possible to tunnel out
replyUnconstrained internet is nice, but I don't think it's a hard requirement. Just tricky to enforce, even in-person.
replyIt is a hard requirement. Once you reach higher levels of challenges you spend most of your time reading through RFCs, web sepcs, Github issues, mailing lists, papers, random bugtrackers and library/framework code. There is no way to create a whitelist for that. Besides, a firewall won't stop good hackers.
replyNormal CTF workflows can involve a lot of research but that's not the point. You can design self-contained challenges with offline solving in mind, and bundle any truly necessary docs/src/etc. with the challenge download.
replyPresumably if you block domains, you wouldn't be able to use AI to find a way around the block. So doing so demonstrates at least some human skill
replyProxy through an EC2. Ask me how I know.
replyOr forethought, I’m sure you could ask an AI how to circumvent any blocks.
replyUse jumpbox to access CTF. Disable all wireless for the playing hall.
replyI think you’re forgetting hotspots, or laptops with inbuilt 4/5g
replyFaraday cages exist. Finally a use for all those damn SCIFs tech companies were building in the late 2010's...
replySince real-life situations involve AI, banning AI would make CTFs just a simple game, not a demonstration of capabilities and talent.
replyWhat do you mean? Solving a CTF challenge demonstrates way more capabilities and talent than just asking a chat bot to solve a CTF challenge.
replyThey always were just a game?
reply