Big Learning, Small Challenges
If we cannot make learning cyber-security easy, then we will make it fun. Many capture-the-flag (CTF) competitions are designed by elite hackers for elite hackers, but on the picoCTF team we have software engineers, system admins, artists, students, teachers, administrators, new hackers, old hackers and we make a competition for high school and middle school students. Being so close to the Plaid Parliament of Pwning (PPP), every picoCTF competition has mind-bending challenges to challenge the saltiest hacker, but that’s the end of the journey for anyone prepared enough to make it that far.
Two key aspects separate picoCTF from other CTF’s: we provide the necessary tools to solve challenges to every participant & we provide “on-ramp” challenges in almost every category. About the first point, our website includes a “web shell” that grants access to our Linux server where we have pre-installed tools that participants need to analyze and solve challenges. The upshot is that high school students with access to old hardware or non-traditional devices (such as Chromebooks) can still participate. No preparation or installation of tools is required for picoCTF. Second, about “on-ramp” challenges, our team carefully crafts challenges that slowly introduce participants to using the shell, to making use of extensive learning resources we provide, and to the traditional CTF categories themselves, namely: binary exploitation, reversing, web exploitation, forensics, cryptography. Some on-ramp challenges fall under a “general skills” category which many times are computer science concepts such as number bases or encodings which are crucial to understanding many other problems farther down the path.
Finally, as far as “fun”… not everyone is motivated by competition (though many are). We also provide a videogame each year to provide something enthralling for explorers. Participants discover problems slowly as they solve others, and the yearly competition inspires collaboration between student teams. There is no way to make every cyber-security concept easy, but our multifaceted strategy for making learning about cyber-security enjoyable inspires students to work together, to learn to solve seemingly intractable challenges and incidentally learn quite a bit about computers and security along the way.
pico-Boo!: How to avoid scaring students away in a CTF competition (2019)
Abstract: The lack of computer security experts poses a challenge for the private sector and national security. To encourage middle & high school students to learn more about cybersecurity, picoCTF was created in 2013. picoCTF is a “capture the flag” computer security exercise built on top of a video game that teaches students technical skills such as reverse engineering, forensics, cryptography, and binary exploitation. The challenges are specifically designed to be hackable and provide a safe and legal way to explore cyber security. Since the first competition in 2013, picoCTF has grown from around 2,000 teams to 8,000 eligible middle & high school US & CA teams and over 27,000 total global participants in the 2018 competition. Two key changes have been implemented since the competition’s inception to improve learning outcomes and increase student engagement. More introductory and intermediate difficulty problems were added to each category, gradually increasing in difficulty. Also, a new “classroom” feature was added to the competition that allows teachers to create internal scoreboards and track student progress. An analysis of the results of the 2018 competition shows that these new problems kept students engaged for more problems in the competition, and students with teachers who utilized the classrooms feature performed better than students with teachers who did not.
picoCTF: Teaching 10,000 High School Students to Hack (2013)
Abstract: In the spring of 2013, two student-lead organizations, the Plaid Parliament of Pwning and Team Osiris, designed and hosted a computer security competition for high school students called picoCTF. Unlike existing competitions, picoCTF focuses primarily on offensive hacking skills presented in the form of a web-based video game to better excite students about computer science and computer security. Over the 10-day competition nearly 10,000 middle and high school students participated across almost 2,000 teams vying for $25,000 in prizes, making picoCTF, to the best of our knowledge, the largest hacking competition ever held. The competition introduced thousands of high school students to advanced topics such as the command-line interface, cryptographic ciphers, the client-server paradigm of the web, file system forensics, command injection, data representation, and program representation. picoCTF sets a new standard in scale and educational impact in pre-collegiate computer science.