Facebook's plan to train a new generation of cybersecurity pros
The social media giant is making its 'Capture the Flag' security challenge publicly available to encourage high schools and colleges to use gaming as a way of training hackers.
The social media giant is making its 'Capture the Flag' security challenge publicly available to encourage high schools and colleges to use gaming as a way of training hackers.
Facebook likes hackers. Not the kind that break into its accounts, but the ethical kind that can find and fix software vulnerabilities that plague massive tech companies.
In fact, it聽is so committed to educating and encouraging聽this kind of bug hunting that it鈥檚 sharing its internal Capture the Flag (CTF) security training platform with high schoolers, college students, and anyone who wants to learn how to think more like a hacker.
In making the program available on聽GitHub, an online repository of open source code, Facebook is giving students and budding software tinkerers a legal way to hone their research skills, but also tapping into a growing trend of using games to draw young people into technical topics such as security research. During聽CTF competitions, teams practice engineering and defending against cyberattacks on fake websites.聽
"We hope to see more people gamifying security education, both in schools and the enterprise,鈥 said Javier Marcos, a security engineer at Facebook and the lead engineer on the CTF project. 鈥淲e know playing games makes it easier to learn hard topics."
Releasing Facebook CTF as an open source platform makes that kind of gamified security education more accessible, since anyone organizing a CTF competition can now download the platform and get it up and running on their own server.
"We wanted to share our experience organizing and competing in CTFs with an easy to use platform," Mr. Marcos said via e-mail. "We also wanted the code to be an educational tool by itself, so people can learn about secure coding practices by looking at our codebase."
While Capture the Flag games aren鈥檛 new in the security research community (they鈥檝e been taking place at hacker conventions for 20 years)聽the idea has gone mainstream as聽university teams regularly compete in similar challenges.聽
But what all these competitions have in common is the way of transforming the often arcane and arduous task of finding vulnerabilities and creating exploits聽into聽something of an adventure. Players聽may聽have to聽patch their own vulnerabilities while also looking for ways of hacking their opponents 鈥 the kind of action that鈥檚 often missing from computer engineering classrooms.
鈥淧laying CTF is different from reading a book,鈥 said Soufiane聽Boussali, a Morocco-based security researcher, via Facebook. 鈥淚n CTF we practice what we learn in books.鈥
Facebook also hopes that by releasing its CTF it can help root out bugs within the game聽platform聽itself, providing yet another way to learn about finding and patching vulnerabilities.聽The game will be connected to the聽company鈥檚 bug bounty program聽so anyone who downloads it can also earn money by reporting vulnerabilities or errors in the platform.聽
Of course, the real test of Facebook CTF is whether its combination of game playing and information security will translate into real learning, and into training and identifying the next generation of information security professionals.
"There's always something that will come up that's unexpected during a CTF," says聽Jared Stoud, a computer security graduate student at the聽Rochester Institute of Technology, suggesting the games are strikingly similar to reality. "From a competitor standpoint I've learned a significant amount about web application security and reverse engineering."