Backman describes an attack/defend security contest for inexperienced undergraduates. The contest uses capture the flag, where an attacking team exploits vulnerabilities to acquire sensitive data, “the flag.” The defending team works to patch such vulnerabilities. The game is intended for small liberal arts universities that can offer only a few computer science (CS) courses and often only one in computer security. The game serves also to integrate many ideas in the CS curriculum.
In 2015, the third year the game was offered, 70 students from four universities participated (three time zones). The contest consists of eight one-hour rounds. At the beginning of each round, a new flag is delivered to each team. Scoring is based on capturing a flag, defending a flag, and maintaining service uptime. The paper presents countermeasures against inappropriate tactics. It also describes the architecture of the contest framework: an administrative virtual machine, in Linux, and virtual machines for each team. Support scripts are also described. Teams interact with the game through a website on the administrative virtual machine. An engaging feature of the website is an audible message produced when a flag is captured.
The paper points out the difficulty of scaling the contest. Other universities are interested in participating, but the author believes increasing beyond 16 teams in a single contest would diminish the educational value. The contest does appear to be educationally worthwhile and engaging to students. The paper is readable, with sufficient guidance for someone to develop a similar contest.