Short Interview with Giovanni Vigna
I used a congratulatory email to Giovanni Vigna to ask about his team's recent Capture the Flag win. Here is the short interview.
Bejtlich (B): What sorts of skills were required to win Capture the Flag?
Vigna (V): The skills required are many, from network analysis (looking at the traffic and figuring out what the hell is going on) to code auditing (both source and binary).
B: Did you practice?
V: We didn't really practice, but I organize an international inter-university CTF competition every year, as part of my grad class on network security. Therefore, we had (maybe) more experience in that sense.
B: How did this year's contest compare to those of the past run by the Ghetto Hackers?
V: The contest was somewhat different than the one run by the Ghetto Hackers. The new things I like the most where the SLA (service level agreement, or something like that) and the "breakthroughs".
The SLA represented how much your services were up during the contest. Your final score was weighted by that. Pretty cool idea. The Ghetto Hackers had something similar, but it didn't take into account the whole duration of the game.
The breakthrough were sort of advisories that you could submit to the organizer when you found new vulnerabilities, so that you could get credit for being the first to find a specific flaw.
Finding flaws is a big part of the game and previously when you found a flaw you had a small window of advantage, because the exploit was very soon copied by others.
By using breakthroughs it was possible to give credit (and points) to the people who actually did the hard work.
B: What can you say about your team members?
They are mostly UCSB grad students and they are definitely the best people I have ever worked with... so I would say I got lucky!
Bejtlich (B): What sorts of skills were required to win Capture the Flag?
Vigna (V): The skills required are many, from network analysis (looking at the traffic and figuring out what the hell is going on) to code auditing (both source and binary).
B: Did you practice?
V: We didn't really practice, but I organize an international inter-university CTF competition every year, as part of my grad class on network security. Therefore, we had (maybe) more experience in that sense.
B: How did this year's contest compare to those of the past run by the Ghetto Hackers?
V: The contest was somewhat different than the one run by the Ghetto Hackers. The new things I like the most where the SLA (service level agreement, or something like that) and the "breakthroughs".
The SLA represented how much your services were up during the contest. Your final score was weighted by that. Pretty cool idea. The Ghetto Hackers had something similar, but it didn't take into account the whole duration of the game.
The breakthrough were sort of advisories that you could submit to the organizer when you found new vulnerabilities, so that you could get credit for being the first to find a specific flaw.
Finding flaws is a big part of the game and previously when you found a flaw you had a small window of advantage, because the exploit was very soon copied by others.
By using breakthroughs it was possible to give credit (and points) to the people who actually did the hard work.
B: What can you say about your team members?
They are mostly UCSB grad students and they are definitely the best people I have ever worked with... so I would say I got lucky!
Comments