Winners of SPb School CTF-2018: How to Become a Successful Hacker When You're 11
At the beginning of October, ITMO University hosted SPb School CTF-2018, an information security competition for school students. ITMO’s school team ITMO.KIDS consisting of 11th-grader Artem Zaglubotsky and seventh-grader Yuri Grishin took first place. In this interview with ITMO.NEWS, the winners share their stories of how they got into information security and started taking part in programming competitions.
Artem, for how long have you been practicing information security?
Artem: For about half a year. I’ve long been into programming though. Basically, it’s how I developed an interest in cybersecurity. What also influenced my choice of a hobby was that after having watched so many movies about hackers, I was curious to find out how things really work.
If you ask me why I started studying information security instead of, say, programming, I would respond that it’s because most programming competitions require algorithms knowledge, and I hate drilling. It’s sheer math, there’s no room for creativity, while cybersecurity competitions encourage you to think out of the box because all the tasks are unique and there are no off-the-shelf solutions. You have to analyze each situation and come up with a new solution each time.
Yuri, what about you? When did you start studying information security?
Yuri: When I was six, I first learned about hackers. That’s how it all started. At the age of seven, I decided that I wanted to become a programmer, and I began programming when I turned nine. After a while, I got into information security. I don’t see programming and information security as two completely different spheres though, and I enjoy them both.
Did you study on your own or asked someone for help?
Artem: In the very beginning, I didn’t attend any courses or something, I was just reading through all the materials I could find on the Internet and trying to solve some tasks when I bumped into the SPbCTF community, where I practice now.
Yuri: It was kind of the same for me; I also found the materials online, watched lessons on YouTube and various forums. When I had questions I asked them on forums.
At the beginning of October, your team won the SPb School CTF-2018 competition hosted by ITMO University. What other competitions have you participated in?
Yuri: My first CTF competition was School CTF that took place in November last year. I just started practicing and didn’t win anything then. I also participated in NordschoolCTF, and SharifCTF. It was not a complete failure, but it was very hard. I often take part in online CTF competitions, such as QCTF, and Cyberchallenge.
Artem: I started taking part in CTF tournaments a couple of years ago. Among the competitions I participated in are ITMO’s programming competition, the Archimedes contest, NordschoolCTF, QCTF School, Cup MISiS Case, and SPb School CTF-2018, among others.
Where did you meet and how did you decide to form a team?
Yuri: We first met at NordschoolCTF, and then again at SPbCTF’s seminars.
Artem: I often invite my friends to take part in competitions with me, but not all of them like the CTF format. I really wanted to join SPb School CTF-2018, but I didn’t have a team, so I decided to write Yuri. It was our debut together.
What are the seminars at SPbCTF like? What do you do?
Artem: The seminars take place every Sunday and last for four to five hours.
Yuri: Or even more. There was a time when we used to come at 1:30pm and leave at 7pm. We practice both classic, attack-defense format of CTF and the so-called task-based CTF. The difference between these two formats is that attack-defense is closer to real life: there are two teams, each given a server with a set of vulnerable software services. For example, an online shop. The players try to secure a victory by hacking their competitors’ servers and protecting their own. During task-based CTF competitions, instead of hacking each other, the teams are to complete particular tasks, which is much easier. Not all the tasks are about information security though. There are some boring tasks like taking a picture of your team and uploading it to Instagram, but I don’t like such tasks.
And what do you like?
Yuri: Searching for vulnerabilities. For instance, you get a link to a website created specifically for the competition, and you have to find security problems and fix them.
Why didn’t you invite other people to your team? Why are there only two of you?
Yuri: If there were more people in our team, it wouldn’t be so interesting. For example, I want to solve a task, but somebody has already solved it before me. It’s so cool to solve as many tasks as you can. Besides, we just couldn’t find any talented school students who would like to join forces with us. But I think that two people are already enough.
What does a typical competition day look like?
SPb School CTF is a task-based, so we just solved tasks. But there are other types of competitions, some of them lasting for two days. Sometimes, a single “battle” can last for eight hours.
Do you find it hard keeping up with this pace?
Artem: No, not really. When participating in programming competitions, I usually take lots of food with me and try not to get distracted. When I feel that it’s time to have a rest, I just look around for a while to give my eyes a break.
Yuri: After I started programming, I became a real nerd, so I can just sit in front of a computer for hours and hours. Besides, I don’t eat much, so I rarely get hungry.
How do you manage to juggle preparing for competitions and school?
Artem: I don’t have a choice. I’m now preparing for my USE exams, and I only have an hour a week to devote to my hobby. What’s good about it is that the only thing I need to practice is my laptop. All the materials can be found online, so I can practice almost anywhere I like. An hour a day is enough if you train regularly.
SPb School CTF-2018 describes itself as a tournament that ‘allows participants to explore the day-to-day tasks of the ‘white’ hackers’. Who are ‘white hackers’, what do they do and what qualities should you have to become one?
Yuri: White hackers are people who search for weak spots in a software system, but when they find one, they report it so that it could be eliminated, instead of exploiting these vulnerabilities to make money, like hackers usually do. I believe that curiosity is the most important quality for becoming a white hacker: when you visit a website for the first time, you should be interested to get to the bottom of how it works. And when you understand how everything works, you can analyze its layout and find its vulnerabilities. Your intellect also matters here, but I think that goes without saying.
Artem: I don’t think that it would be correct to say that hackers are those who hack in computers; the name is a bit misleading. Hackers also look for solutions of how to make an operating system launch faster. If a person manages to find this solution, this means that they code so well that they can improve the work of computers. Mass media usually demonize hackers, but in reality, these are people who advance science and make the world a better place. In a way, you can consider Steve Jobs and Steve Wozniak hackers, because though they did some unlawful things, their little ‘blue box’ contributed to the development of technologies.
It’s true that to become a hacker, you need to be curious, but also creative and very tech-savvy. Apart from that, it’s important to be assiduous and tenacious: you have to bring projects to their conclusion.
What are your plans for the near future?
Yuri: I don’t yet know what I like best, web development or information security, so I’ll just pursue anything that comes my way.
Artem: Aside from cybersecurity, I try to explore other spheres: for example, I visit Case-tournaments to gain experience in technological entrepreneurship, because this is what I want for my future career path. In essence, technological entrepreneurship is just selling technologies. Someone creates an app or website that has the potential to become popular, and you have to come up with a strategy of how you’re going to develop this product, as well as form a team of specialists who will be involved in its implementation. I attended a summer school in technological entrepreneurship, where I was awarded a diploma, and this motivated me even further to pursue this field.
My global aim is to create a company in the field of smart city technologies. I’d love to work on this idea and understand how to build an effective interaction with a smart city and within it. That’s why I try to master related scientific fields: it will give me a better footing for when I encounter these tasks in my future career. I think that St. Petersburg offers lots of opportunities to develop such a company, and if you need a specific device from abroad, you can easily order it online. Big cities like ours have everything you’ll ever need to be successful in this field.