Hackathons vs. CTFs

Posted: July 29, 2017 by James Pavur

One piece of advice I give to people looking to transition from computer science homework assignments to meaningful proficiency in cybersecurity is to seek out Hackathons and Capture-the-Flag competitions.

Sometimes the amount of information on these events can seem overwhelming and it can be difficult for someone starting out to know which events are worthwhile and how to best make use of opportunities. After attending a number of these competitions myself, I wanted to share some of the advice I wish someone had given me.

This post seeks to breakdown the types of Hackathons and Capture-the-Flag competitions that you might attend and the basics of how each contest genre operates. It’s one of a series of post to help folks enjoy and benefit from tech competitions. If you’re more interested in strategies to win hackathons, strategies to win ctfs , team management at tech competitions (coming soon), and turning contests into job offers (coming soon) check out the other posts in the series. The series is oriented towards students and early-career tech professionals but offers advice that might be useful to anyone interested in the hacking scene.

What are Hackathons?

Hackathons are events where developers, designers, and sometimes non-technical people collaborate to build something new out of technology within a timeframe. They occur in a variety of formats but they almost invariably involve a set time limit on development and some form of team competition.

Flavors of Hackathon

There are thousands of hackathons every year and each has unique quirks and style. For example, the popular comedy hack day competitions involve making goofy and awful products and then pitching them to a panel of judges. In general, however, you’ll find most hackathons fit into these four broad categories.

1) MLH - The defacto standard for intercollegiate hacking

Major League Hacking is a non-profit that manages a huge chunk of the intercollegiate hackathon scene. Most MLH hackathons are organized and hosted by university or high school students and all ascribe to the MLH charter which details guidelines to make hackathons safe and consistent for participants. If you’re just starting out with hackathons, an MLH Hackathon is the best choice for learning what the competitions are all about.

Your typical MLH hackathon will be sponsored by a number of local and national technology companies which may offer their own sponsored prizes to teams who best achieve certain objectives (e.g. ‘Best use of a raspberry pi’, ‘Best graphics design’, etc.). Many MLH hackathons also offer overall prizes for the most impressive builds of the competition.

The majority of MLH Hackathons last from 24 to 36 hours. They’ll provide free food, internet access, and a quiet room to sleep in at night. The target size of MLH hackathons is 80 people or more so generally you’ll get an opportunity to meet a lot of other coders from the region.

You can find a list of MLH hackathons on their website - be sure to register for hackathons a few weeks in advance since many will fill up well before the start date. Some particularly reputable MLH hackathons include Hack MIT (Boston), MHacks (Ann Arbor) and Treehacks (Stanford). If you’re in the DC area I’d personally recommend checking out Bitcamp (UMD), Hoya Hacks (Georgetown), and Hop Hacks (Baltimore) which are three excellently run regional MLH hackathons.

2) Online - Impersonal but flexible

If there’s no local MLH hackathons near you anytime soon but you still want to get hacking, online hackathons are a great opportunity. Online hackathons tend to be more forgiving of a busy schedule and don’t require you to sacrifice an entire weekend. Many online hackathons can last over a month.

The downside to online hackathons is that they tend to offer less creative liberty than MLH events. Most online hackathons will have a primary sponsor with a specific objective (e.g. “Build something with the Twitter API”). Still, if you find a contest that aligns with a personal interest it can be great motivation to get building and work with friends to develop something a little larger and more robust than a typical 36 hour hackathon project would become.

One of the best places to find online hackathons is Devpost. Remember that the larger the online hackathon and the greater the prizes, the more difficult the competition will likely be. Although winning isn’t everything when it comes to hackathons, if you can find a niche hackathon you’re passionate about the morale boost of getting recognition for your creation can be an important component of learning to love hackathons. Since online hackathons are impersonal, sometimes you might feel that no-one notices or enjoys your submissions. In-person hackathons normally have time for demos so that even if you don’t win a prize you can get a feel for what people like (or don’t like) about your project.

3) Corporate/Professional - Niche and stuffy but great networking

Recently, many corporations and non-profits have begun self-hosting hackathons. These events tend to be fairly specific to the host organization and take place on a less grueling schedule (often from 9:00am to 9:00PM for two back-to-back days rather than a contiguous 36 hours). They can offer excellent prizes though and unmatched networking opportunities if the host organization is a company you’d be interested in working for or interning with.

Devpost is a decent place to find these, although company twitter feeds and eventbrite will often lead you to more events.

4) Business - “Soft” and ambiguous

As the word “hackathon” has bled into common parlance many businesses - particularly in the consulting world - have coopted the term to apply to almost any pitch competition or event. For example, you might see a “hackathon” where teams collaborate on consulting cases or build a powerpoint presentation on a socially responsible business. These tend to follow the Corporate/Professional format above, take place in a single day, and involve little to no coding skills. If this sort of thing excites you, by all means go for it. But otherwise, I’d recommend double checking with event organizers if it’s unclear how technical a hackathon is and choosing a more technical opportunity if your passion is coding and software development.

Devpost, company twitter feeds, and eventbrite are good sources for these events.

Where’s the hacking?

If you’re anything like me, you might have attended your first hackathon and wondered why nobody was “actually hacking.” Although security oriented projects can do well at Hackathons, if you’re looking for something a little more security oriented Capture the Flag competitions (CTFs) are a better fit.

Flavors of CTFs

Unlike hackathons, where a great deal of standardization has set in - in large part because of MLH’s efforts to create a consistent format for intercollegiate hacking, the capture the flag scene is still a little ‘Wild West.’ Every capture-the-flag is a little different and often it’s hard to tell exactly how an event will go down until you actually get to the competition. Nonetheless, there are generally a few categories of CTFs out there which are pretty common.

Setting: Intercollegiate

A handful of intercollegiate Capture the Flag events have sprung up. Like MLH competitions, these tend to limit invitations to college and high school students which makes for a little more equitable skill and experience levels than broader contests. Intercollegiate CTFs can take on a hackathon style of 2436 consecutive hours, or a conference style with breaks in the evenings or shorter competitions.

The upside of in-person CTFS is a chance to network with the regional security community, direct access to event organizers for questions and technical issues, and generally well-maintained infrastructure and communication. Free food is also traditional.

A great CTF in this style is UConn’s annual CyberSeed competition.

Setting: Conference

The best place to find in-person CTFs right now is at major security conferences. These events will often be sponsored by vendors attending the conference and are often shorter and more narrowly focused than intercollegiate style events. They are intended to be a small part of a larger conference experience and offer an opportunity to meet and hack alongside regional, national, and international security experts. As security conferences often involved paid admission, there’s a higher barrier to entry which makes these a less appealing first CTF choice. However, many conferences offer steeply discounted or free student admission so it’s worth checking out.

Some reputable conferences that host CTFS include Defcon (Vegas) and Shmooocon (DC).

Setting: Online

The easiest way to get started with CTFs is to join an online competition. Unlike online hackathons, online CTFs tend to be about as short and strenuous as in-person competitions and, oftentimes, happen concurrently with an in-person contest so even if you can’t make a conference you can still participate.

One excellent introductory CTF is CMU’s PicoCTF. Although only high school students are eligible to win prizes, the higher level questions on the CTF can be quite challenging and the whole contest has great pacing. They also keep old challenges up after the competition is over.

Otherwise, one of the best places to find current and upcoming online CTFs is CTFtime.org.

Style: Jeopardy

Jeopardy style CTFS are probably the most common format. Challenges are isolated tasks that involve obtaining flags (normally hidden strings) from web applications, cipher texts, or vulnerable servers. Each flag is worth some number of points that roughly corresponds to the difficulty of obtaining the flag. Sometimes additional points are awarded for being the first team to successfully find a flag. The team with the most points at the end of the competition wins.

Jeopardy style contests are great for a first CTF. They tend to be more collaborative and friendly than other styles and everyone can feel like they had some measure of success at the end of the day. It’s also very easy to utilize an entire team of people as individual challenges are easily segmented and divided among team members based on their interests and skills. Online competitions tend to be Jeopardy style as these are the easiest to maintain and host - especially with large numbers of competitors.

Style: Attack/Defense

Attack/Defense CTFs are much more intense than pure Jeopardy style. Each team will be given a system, or network of systems, they are responsible for defending against attacks by other teams. There may be particular files or services (the ‘flags’) that need to be protected.

In some formats, these CTFS will involve Red/Blue teams where the Red teams are responsible for attacking systems and the Blue teams for defending them. In other competitions teams are responsible for both attacking their neighbors and defending their own systems from attack.

If you have a good team that works well together Attack/Defense competitions are extremely fun. If you have a team with wide skill disparities, the fast-paced and reactive nature of attack/defense competitions can often leave newer team members feeling left out.

Hackathons or CTFs?

Ideally both - if you’re interested in security hackathons provide useful insights into the inner workings of application development. This makes you a better hacker by teaching you the shortcuts development teams under pressure (like they always are at hackathons) are tempted to take, and how applications are structured across a ton of different platforms. By working with APIs and towards specific hackathon sponsor challenges you’ll learn differences in how API security and authentication is implemented by various companies and get a better idea what the potential weak points in the most popular platforms today might be.

Hackathons alone won’t make you a good hacker though. Security is a learned skill that has to be sought out in addition to basic computer programming and software development skillsets. Capture-the-flags present the ideal environment to learn about security-centric techniques and the ways to turn a hypothetical exploit into practice. CTFs are harder to find and harder to get to than Hackathons for most students and professionals, but seeking them out - in person or online - is an important step in the transition from coder to hacker.

Previous Next