Facebook likes hackers. Not the kind that break into its accounts, but the ethical kind that can find and fix software vulnerabilities that plague massive tech companies.
In fact, it is so committed to educating and encouraging this kind of bug hunting that it’s sharing its internal Capture the Flag (CTF) security training platform with high schoolers, college students, and anyone who wants to learn how to think more like a hacker.
In making the program available on GitHub, an online repository of open source code, Facebook is giving students and budding software tinkerers a legal way to hone their research skills, but also tapping into a growing trend of using games to draw young people into technical topics such as security research. During CTF competitions, teams practice engineering and defending against cyberattacks on fake websites.
"We hope to see more people gamifying security education, both in schools and the enterprise,” said Javier Marcos, a security engineer at Facebook and the lead engineer on the CTF project. “We know playing games makes it easier to learn hard topics."
Releasing Facebook CTF as an open source platform makes that kind of gamified security education more accessible, since anyone organizing a CTF competition can now download the platform and get it up and running on their own server.
"We wanted to share our experience organizing and competing in CTFs with an easy to use platform," Mr. Marcos said via e-mail. "We also wanted the code to be an educational tool by itself, so people can learn about secure coding practices by looking at our codebase."
While Capture the Flag games aren’t new in the security research community (they’ve been taking place at hacker conventions for 20 years) the idea has gone mainstream as university teams regularly compete in similar challenges.
But what all these competitions have in common is the way of transforming the often arcane and arduous task of finding vulnerabilities and creating exploits into something of an adventure. Players may have to patch their own vulnerabilities while also looking for ways of hacking their opponents – the kind of action that’s often missing from computer engineering classrooms.
“Playing CTF is different from reading a book,” said Soufiane Boussali, a Morocco-based security researcher, via Facebook. “In CTF we practice what we learn in books.”
Facebook also hopes that by releasing its CTF it can help root out bugs within the game platform itself, providing yet another way to learn about finding and patching vulnerabilities. The game will be connected to the company’s bug bounty program so anyone who downloads it can also earn money by reporting vulnerabilities or errors in the platform.
Of course, the real test of Facebook CTF is whether its combination of game playing and information security will translate into real learning, and into training and identifying the next generation of information security professionals.
"There's always something that will come up that's unexpected during a CTF," says Jared Stoud, a computer security graduate student at the Rochester Institute of Technology, suggesting the games are strikingly similar to reality. "From a competitor standpoint I've learned a significant amount about web application security and reverse engineering."