The CTF scene is dead

Very much agreed - I think CTFs mean many things for many people, from the article:

It is the ladder from beginner curiosity to elite competition. Which raises the question: what's the point of doing CTFs in the first place? To learn something new? To tease out a fun puzzle? To see who is the best hacker?

To me, the folly of competitive CTFs is reducing the question of "who was the best hacker?" to a number and a scoreboard (or maybe even asking the question in the first place). This has been an uneasy contradiction even before LLMs - take, for example, the dramas around flag sharing, team sizes, "cheesing" flags, and various meta-gaming practices. It seems obvious to me the least important part of CTFs is copying and pasting some text into a website for 500 points, but due to Goodhart's law it becomes the most important part.

I think the aspects of CTFs we can and should salvage is to learn something new or to have fun doing a puzzle. In fact, the union of these two is their strength - you can have fun learning and you can learn while having fun. The puzzling analogy I have in mind is crosswords. When doing crossword puzzles I try not to look up clues unless I'm very stuck. When I finish I like to go back and look up anything I didn't know on wikipedia or discuss with others who solved the puzzle. There are all different types of crosswords (cryptics, patternless, variety) and I like to play them with friends. The concept of writing a harness to have a computer solve it as fast as possible might be interesting as a coding project but for the act of puzzling is anathema.

There are already many less-competitive CTFs that do not have a time limit. They are sometimes called wargames or challenge sites and their meta-site (ala ctftime.org) is wechall.net. I got into CTFs from a great wargame site overthewire.org; the organizers of the site wrote about the wargame scene in a great Phrack article many years ago (scroll down to part 2 - "Wargaming Scene"). The puzzles themselves are decades old at this point but the scene lives on - it's been a joy solving the challenges, introducing new people to them, and helping random people when they get stuck.

The history of CTFs is not something I can personally speak on, (like the author of the link, I started playing CTFs in 2020), but I believe these types of online puzzles were the direct antecedents of the modern CTF scene - people making cybersecurity games for each other over IRC. It makes some poetic sense that the future of CTFs may lie in the past. The death of the competitive CTF scene this blog decries might just be the death of a popular offshoot of an older hacking scene, an offshoot that was quantified, sponsored, and turned into a formal competition. I'd like to think the spirit of the original scene lives on and is what we should protect - educators, puzzlers, and hackers making and solving cybersecurity challenges together.

I just listened today to a talk at BSides about automatically creating a randomised version of CTFs. https://www.linkedin.com/posts/joelpanther_excited-to-be-presenting-at-bsides-melbourne-activity-7459829285256601600-Hiud This approach still works for training for people who actually want to learn and gives opportunity for doing similar problems multiple times without repeating exactly the same thing.

The CTF-as-a-challenge may be dead, but it's still good as a tool for knowledge.

Although I have done quite well in CTFs "back in my day" for the competition aspect, fundamentally they have always been about learning for me. "For the love of the game" one might say. Now it will become clear who is playing because they love the sport and who is playing just to claim empty bragging rights. I'm still going to enjoy a well put together CTF, even if the person next to me pays Anthropic $100 to win.