 All right, so a few a few weeks ago. I bought a new MacBook Air and I walked in and twice in three days I broke lion and it wouldn't log in So I walked into the Apple store and the guy says you tried to install VMware Fusion on your laptop And I said yeah, I like what's wrong with that and he goes dude like you can't do that That's not on the approved list of software What would what would make you think to install an unapproved piece of software on your machine? And I was like gee, I don't know I believe the word he used was logically yeah logically why would you do that and Ted goes so I so I walk up I'm like well I have a MacBook here, and I installed VMware and lion on it, and it worked fine So using using induction and that is our base case We then abstracted that and he goes whoa whoa, I don't want to hear about induction okay, and Then he goes lion is a completely different architecture than snow leopard now. I was like really is it Can you explain that please? I'm pretty sure it's not and Then there was the other Apple store genius looked like Adam young from Owl City, and he was like you guys you guys You to calm down so at this one I'm wearing an RSA shirt and Ted's wearing an MIT shirt, and it's like you were you like you want to talk about logic Come on But all right, so we're gonna get started right because it's 2 30 All right cool, I'd like to present Mike and Ted Bill had an accident So I replaced him with with Mike if you want to know about the accent so later. How many you guys are students? All right, awesome. This this is for you guys how many you guys are professors All right, awesome. This is also kind of for you guys a little bit too. How many you guys just are bums All right screw you guys So our goal is we want every university to participate in cyber competitions And we're gonna help you help us to realize that goal and we have a tool that's gonna help you get started and help us realize our goal We think so What's the problem? So we think there is a problem and we think that Universities and institutions are trying to teach the students how to be hackers, but they're not doing very well because we're transitioning from traditional computer science where you learn theory and You try to do practical events at the end and and we're shifting into a cyber world a cyber security world Where it's pretty much all practical and then you kind of have to absorb the theory yourself So, you know, we've been introducing all these information assurance classes But we're and we're we're struggling to try to fit this gap between high-level and practical knowledge And we still see a problem there Because the instructors are being pushed into this realm and while they're trying to give and demonstrate practical examples They're not really experienced With the with the type with the new cyber security world that we are in right now So, you know, they there's a there's a bunch of great stuff. If you go to IEEE's Website if you pay for it and you look under the C cert Conference or C set conference. You'll see tons of white papers of different universities trying to implement cyber labs And they have varying success What we've done is we've gone through all that and we looked at their conclusions And we've tried to build a tool that helps them realize all their conclusions so again, not all universities have these cyber labs and To kind of replace them or offer something similar to all universities There are cyber competitions out there. There are tons of them We're not gonna list them if you go to a CTF competitions or something or if you go to the defcon website, you'll get a good list But there's also a problem with these cyber competitions They're trying to isolate the best from the rest. So if you're not first your last they're they're pretty difficult So and and not all universities have access to them and Whether they don't know or they just the students don't have enough people to create a team or they're just afraid of them So if you read our slides that we submitted for the disc, you'll see we said something about prizes And so throughout the presentation, we're gonna be asking questions And if you give us a good answer, we're gonna give you a prize now It's pretty easy for us for you to get a prize from us So who wants a prize? That guy right there in the hat so he's getting an RFID wallet. That's about how easy it is to get prizes from us So about that problem you hear problems all the time school doesn't teach you much practical knowledge blah, blah, blah Like who really cares you hear that all the time you need an outlet for practical learning blah, blah, blah Who gives a shit? You don't you hear that all the time so enter CTF competitions CTF competitions are practical outlet for your real-world knowledge And they help you assess your current skills and help you realize what skills you need to work on more But they can be hard and no one wants to get completely pumped Total punish So if you remember our goal we want all all universities to compete in these these competitions So why? These competitions introduce students to critical thinking whether they're winning the competitions or they're solving a few challenges Or they're not solving anything. They're either realizing what they don't know or they're or they're able to evaluate what they do know And what they do very well So we'd also like to use these competitions for universities to augment their assessments So instead of you sitting down for standardized testing and answering a through D We want to use these critical thinking skills and even your improvement So whether if you're not that great at them if your entry level coming in and you're not solving too many questions at first And then towards the end of the year you're solving a few or you're getting farther in the questions than you were We can definitely show improvement there and we can actually assess the critical thinking and an improvement in critical thinking And finally we can evaluate the curricula that the university has so instead of just you know We have like five to ten Universities who have teams that are participating and doing well in these competitions We can get every university and we can actually see some universities who are better at web exploits better at binary reverse engineering So if you're in high school, and I hope if you're in high school And you know that you want to go into this field if you could sit down and say you know I really like web exploitation, or I'm really into the web. I can pick a university who performs well here So how do we do this? How do we make competitions less hard? How do we make all universities adopt these competitions? Do we want to ask the competitions to standardize their challenge scoring so that we can evaluate students across competitions? Do we want to ask them to put a tiered structure to the competition so they have an easy mode a medium mode and a hard mode? That doesn't really work too well So you mean there's a there's a third option and we can we can do it ourselves and The way we want to do it ourselves is through standardizing the practice So standardizing what you do as a university or you do as a team so that we can actually compare results across competitions So it's practice man. We're talking about it talking about practice A little East Coast there Now West Coast actually so again, how do we how do we do it? Let's standardize and systemize our practice So we're gonna hopefully show you how to do this so we're not just kind of shooting in the dark there And when we do this we're gonna remove a fear of the unknown So if we have a standardized way of practicing teams that or our universities that aren't into competitions They don't know what the competitions are. They won't be afraid. We'll give them a method. We'll say here use this It'll direct you it'll show you the competitions you want to compete in it'll show you the questions that you should be answering and then Instead of having the objective of going in there and winning we can have universities redefine that and say our objective is to learn At first right not just to win so if we change our motivation we might change the outcome of What of separating the top tiered schools from the rest of the guys and actually show some performance on a per student basis And then after you know the university is kind of used to it and they've competed a few times They can switch back and they can actually play to win So we're hypothesizing that a collaboration tool help you Compete and help you collaborate with each other more successfully. So can anyone name a collaboration tool that you could use? Okay, all right, all right IRC's decent. We'll give that we'll give that So this is like TV jammer kit thing. So You you build your own TV venal, right? So So right we have some solutions. We tried we're like a red mine and we do Mickey Media wiki not Google Wave whoever said that Which are slow and syntax overhead and there's a lot of syntax overhead and it's good organization of content But bad collaboration. So there's a lot of version and conflicts Then you have Google Docs, which is great on the collaborative side, but not so good on the challenge management side So like good computer science students when we couldn't figure out what a good solution was we built our own so So now we developed something called our TFN rock the flag network And it's a software hardware collaboration tracking storage, etc a solution and what it does it Organizes data and preparation materials before the competition and you can compound compound them after the competition For materials that you've gathered for preparation for Future occurrences of that it also creates a repository of tools and software that you'll need to use during the competition To save time from constantly having to go download them every time you need them I know there was like four competitions We competed in where we had a download padbuster every time and that was just annoying It has real-time challenge management functionality based on app jets etherpad Which is what Google Docs is based off of which we've customized to include things like related file uploading if there's a binary for binary analysis Challenge ownership so you can tell who's working on what and that every challenge is owned by someone Tags labels so you can grab and search for them later for practice Also, it has reporting and trending functionality to show you visuals Visualizations of your progress and where you need to improve and how you've attempted how your attempted improvements have worked And we have some examples of that in a few slides So this is kind of just a visualization of what our TFN actually is So if you'll see you input into it your challenges your tools the dates and deadlines of these competitions and you your actual skill your participation and What goes into it on the bottom or what is our TFN is in the orange there? And that's the labeling the tracking the searching the reporting Functionalities a storage of tools and all that and what you get out of it is increased campus involvement because now you have more compete You have more people competing from more places all over campus because you don't have to be in a central location anymore You can identify your weaknesses better because you know what works and you know what doesn't and you have all these pretty graphs that Facebook would love that Identify that for you you can trend your challenges You're gonna effectively prepare based on all these documents that you've created and so if you look at this next slide It's pretty cool So this is this would be an example of a graph that you can get from our TFN So if you notice on the left hand side you have minutes to solve web exploit So you're noticing for the first few challenges It's taking about a hundred minutes to solve and then you hit point one and you dramatically drop to point two and You say look what changed what did we do that change that and allowed us to improve? And you can diff all the things and you'll see tags will include something like burp suite And using that allowed you to do web challenges Three times faster now burp suite is just an example. It could be anything Like for example if you go to minutes to solve binary analysis if you look at point one up to point one You're taking about 30 minutes to solve it and then you go up and you hit point two and now it's taking you two Hours and then you go back down to point three and it's taking you half an hour again pretty dramatically And you want to see what changed how can we level that out so that that doesn't happen again? So if you diff all the tags and all the editors you'll see that up to point one Nick was your binary analysis guy Then Bob came in and Bob sucks So then you kick Bob out of there now you have Nick back so you know like Nick is your binary analysis guy So this helps you identify What you're doing how you're doing it and who is your guy to do that and it also identifies Listen, we just lost Nick now. We need another guy for binary analysis and that helps with recruitment and Etc. So now we're gonna do a quick little demo. So Ted's gonna get out of there and We're he's just gonna log in to Earl. He can explain it. He's a big boy We're from Stevens Institute of Technology which is in Hoboken, New Jersey It's right across the water from the financial district in New York City So we've we've competed in competitions like seesaw CCDC I CTF Carnegie Mellon CTF RU CTF. So we've done a bunch of CTF. So you want to maximize that? Yeah, that's good So this this is Ted can explain. So this is kind of what it looks like Right now. It's kind of hanging off of the screen a little bit but So you'll get all the competitions that you want to that you've competed in if you want you can go up and You know create a new competition on that a little bit a new DNS entry and then we'll Name it and get a start and an end date We'll come back to the contest. We'll go into this one. We've populated a little bit So you'll get a you populate all this yourself and it'd be like a per challenge thing So we've gone and entered something called TCP IP and that's a protocol decode and Mike was working on it So as you you go into it you can see these things. So like this is Mike just joined here He's got his it on his laptop and he's going in and he's editing and this is all we're all usually using etherpad to do this We just modified it a little bit. So Mike if you want to go ahead and solve that challenge So he solved it and now we Comes back if I say, you know, Mike, you didn't solve it. I can go ahead and uncheck it for him And then we can say oh, we realize like this is a really hard challenge. Yeah, so you can't see my screen But I just clicked her. Yeah, so these ones would would be considered hard. So I'm gonna go back to and we'll go into the def con CTF quals here We'll pull up this guy. So if like you want to enter a picture you can go ahead and and drop that in there I entered a honey badger because he's really badass So so that's pretty much what it looks like We're still working on a little bit if you want to you can come in and check all the challenges list and then we have Like all the owners all the people that worked on it We save every every single update you can just add a Twitter tag in there just a pound tag and it'll go ahead and enter that for you So if you notice that challenge dashboard when you saw all the lists of challenges You can categorize them and you can see so going into a challenge if you know Hey, it started a few hours ago, and I know that I'm the binary analysis guy I'm gonna walk in look at that dashboard say what's binary analysis? What's not being worked on and I'm gonna get on that right now So next this is a little implementation. We did we got a an aluminum toolbox from Sears and drilled some holes in a created some ports in it We both used used to work at our school's IT department. So we've been doing like ports and stuff for forever. So You can we have like a little switch in there You can see we have a little microcontroller that you really can't see and you can just connect to that And that's like your mobile CTF box So we competed in a seesaws at NYU Poly and we had to go there to compete So this is something that you could bring with you if you have to go somewhere to compete And this isn't like the de facto implementation of what you have to do This is just like an example of what you can do at this distribution. Yeah, so like Mike said it's a We're releasing it as a distribution. So you just go ahead down pull the ISO and then launch it up and We're not gonna do it as a virtual machine because it does have Functionality to load your own virtual machine. So if you're playing like an attack defense competition like our ectf and you have to Load a virtual machine. You would go ahead and do it here So there are security mechanisms that would protect anyone coming it connecting to it So like if it would if it's running like an open VPN client and then pushing everything out to you So you would connect into this the virtual machine would be there. You wouldn't have to load it on your own computer So we don't recommend putting it at we don't recommend releasing rtfn or implementing it as a virtual machine So why do we think this might make a difference if we're gonna switch back into the goals where we want everyone every university to be competing in these competitions and we want to use these competitions to evaluate and allow the university to Mold them into their assessment We're gonna enable team collaboration with this So even if you're not all sitting together If you're if you're around the world if you have a team that's not if you have a university That's not all co-located or you have a team. That's not co-located if you have a team built for many universities You can we can effectively do that now And then we can extract metrics from the competition so we can extract times when you added Tags we can times when players were added whether you compete whether you're actually finishing the challenges or What challenges you're not finishing what challenges you're finishing quickly and then we can compare student performance with and without Rtfn so we can imagine a situation where a university wants to say do see do cyber competitions actually Help students in academia and we can compare a group of students who are playing cat capture the flag or cyber competitions And then a group of students that aren't And then we can also now with this tool compare students who are collaborating and students that aren't so we can say We can give a group of students who are competing and a group of students who are competing with this tool And we can compare their performance So another quick opportunity for a prize. Can anyone name a way that they could use Rtfn that like we haven't that would Help them out at their school Anyone this is like the best you can think about it and yeah You can think about it and and get it get to it get to us after so come up here come up to the stage right afterwards team projects What do you mean by that? So so working on a team project together right right that works. Absolutely Right. She said so so the answer was team projects when you have people in a team that are Co-located that aren't with each other that have to work on online team projects So you're gonna get a hundred dollar Apple star gift card. That's your prize. So awesome for you So to kind of finish what our lofty goal what we want you to take away For what from what we are imagining is we want any we want any and all students to be participating in cyber competitions We I added college there, but definitely high school too And even the after college We want Competitions to be used to augment university curricula absolutely. We think that that could be a very very powerful tool And if you don't agree with us on that sense I mean you can still use our TfN if you're currently playing cyber competitions And you don't want to see the world to change, but you just want to do better Or on the other sense a remote red teaming So I know a lot of these competitions involve what's called a red team That will come and actually play against the students so the students are being measured by how well they can Fend off a red team well It's very difficult for a red team who are often working professionals to come and sit down together so and then even to share information and we've been talking to a few people who are really Making a lot of progress in this we think we can we might be able to help them out here using this tool and and being able to Provide remote red teaming collaboratively. All right, so I don't think we have time for questions, but We can take to the Q&A room so come hang out with us and we'll give you cookies and you can come get your pies from us