Modern field guide to security and privacy

Facebook's plan to train a new generation of cybersecurity pros

The social media giant is making its 'Capture the Flag' security challenge publicly available to encourage high schools and colleges to use gaming as a way of training hackers.


Facebook likes hackers. Not the kind that break into its accounts, but the ethical kind that can find and fix software vulnerabilities that plague massive tech companies.

In fact, it is so committed to educating and encouraging this kind of bug hunting that it’s sharing its internal Capture the Flag (CTF) security training platform with high schoolers, college students, and anyone who wants to learn how to think more like a hacker.

In making the program available on GitHub, an online repository of open source code, Facebook is giving students and budding software tinkerers a legal way to hone their research skills, but also tapping into a growing trend of using games to draw young people into technical topics such as security research. During CTF competitions, teams practice engineering and defending against cyberattacks on fake websites. 

"We hope to see more people gamifying security education, both in schools and the enterprise,” said Javier Marcos, a security engineer at Facebook and the lead engineer on the CTF project. “We know playing games makes it easier to learn hard topics."

Releasing Facebook CTF as an open source platform makes that kind of gamified security education more accessible, since anyone organizing a CTF competition can now download the platform and get it up and running on their own server.

"We wanted to share our experience organizing and competing in CTFs with an easy to use platform," Mr. Marcos said via e-mail. "We also wanted the code to be an educational tool by itself, so people can learn about secure coding practices by looking at our codebase."

While Capture the Flag games aren’t new in the security research community (they’ve been taking place at hacker conventions for 20 years) the idea has gone mainstream as university teams regularly compete in similar challenges. 

But what all these competitions have in common is the way of transforming the often arcane and arduous task of finding vulnerabilities and creating exploits into something of an adventure. Players may have to patch their own vulnerabilities while also looking for ways of hacking their opponents – the kind of action that’s often missing from computer engineering classrooms.

“Playing CTF is different from reading a book,” said Soufiane Boussali, a Morocco-based security researcher, via Facebook. “In CTF we practice what we learn in books.”

Facebook also hopes that by releasing its CTF it can help root out bugs within the game platform itself, providing yet another way to learn about finding and patching vulnerabilities. The game will be connected to the company’s bug bounty program so anyone who downloads it can also earn money by reporting vulnerabilities or errors in the platform. 

Of course, the real test of Facebook CTF is whether its combination of game playing and information security will translate into real learning, and into training and identifying the next generation of information security professionals.

"There's always something that will come up that's unexpected during a CTF," says Jared Stoud, a computer security graduate student at the Rochester Institute of Technology, suggesting the games are strikingly similar to reality. "From a competitor standpoint I've learned a significant amount about web application security and reverse engineering."


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to