Hackers - they are like a mafia: the characters seem to be negative, but thanks to the magical halo created around them by Hollywood, they look rather incomprehensible heroes of Gotem. But there are really positive characters in the information security industry - "white hackers". Unlike colleagues, they do not hack - and protect. At the same time, romance is not enveloped, and therefore the general public is not interested.
Among the first Ukrainians there are many "feats" of their well-known - as not the robbery of the century, so the largest botnet. However, in the field of protection against hacker attacks our compatriots also do not graze the rear. Moreover, following the results of 2016, the Ukrainian team of "white hackers" was recognized as the best in the world - the guys from dcua outrun the rivals from more than 12,000 teams from Russia, the US, China and other countries of the world. But unlike the "black" colleagues, they do not know their names in Ukraine.
How did you end up in the field of information security? And how did dcua appear?
I graduated from the Physico-Technical Institute of the KPI. The Department of Information Security was one of the strongest. After graduation, I remained working as a teacher. The area itself is quite new and promising. And in Ukraine there are many good specialists.
The team dcua founded in 2012. What for? First of all, to popularize and enhance the prestige of the specialty. It is also useful for students: when they come to the first job, without experience, participating in competitions is a good characteristic. Recommendations from the teacher can be considered subjective, but the evaluation at the competitions is independent. About 150 different information security competitions take place around the world annually. And if the student won in all, and the teacher puts him a deuce, then the teacher is more like a fool, and not a student.
Participation also gives a great incentive for self-education - competing with their peers from other universities, he sees his real level and gaps in knowledge. Besides, it's fun. Most of the attacks are real, often those that are used in real life. But participation in CTF is completely legal.
And how was the dcua team formed?
Initially, only students of physical science were included in dcua. The very first staff was invited to all those who, as we knew, are versed in computers. Over time, participants began to join in from outside, including from other countries: South Korea, Vietnam, Thailand, Saudi Arabia, Morocco, the United Arab Emirates, Switzerland, Denmark, the United States. Mostly these are familiar acquaintances: graduates of the FTI emigrate to different countries, but the relations support, participate in the competitions, invite their colleagues at work, acquaintances in their new place of residence.
So the first skeleton of dcua was formed, which we began to go to international competitions. They quickly realized that although sometimes lagging behind the rivals, the order of knowledge we have about the same. There is no such thing as the gods in the USA or Europe, and here there are monkeys that do not understand computers.
In Ukraine, education is not much inferior to world universities. Information security is studied in both the KPI and MIT, and if there is something missing, you can finish it yourself - all the materials are publicly available.
In general, all the necessary skills in order to compete for the title of champion, we have.
Tell us about the very first competition, in which the team participated. How did you get there and how did it go?
It was February 2012. We decided that we are ready to go to our first competition, and immediately to the world level. It was Hight Night in Paris (Nuit du Hack), and without jokes: CTF runs continuously from 9 pm to 8 am. In total, about 700 participants from all over the world claimed to participate, but only the best received the invitation. We took the 16th place in the qualification, but several top teams could not go (they did not pay for the participation, but they were quite large). So we suddenly passed qualification and were invited to the competition.
We started to gather, to look for sponsors. They came and said: here we went to the top, invite to Paris for competitions - give 500 euros. We were answered: cool, well done. But no one gave money.
Then the nose was "Euro 2012" and all invested there to popiaritsya. And the information security is not particularly popiarishsya.
As a result, instead of five participants from dcua, two people went to Paris - for their money. In total, 14 teams came to the "Night of the Khak", and we occupied either 9 or 10th place. Failed, but not with disgrace, given that we were two, and in the remaining teams - for 5 people. They fought dignified, and we were respected.
Then a lot participated in online competitions. And little by little things have gone.
How are these competitions going?
There are several kinds. The first is jeopardy - usually online. In them, participants independently solve problems from different categories (web, binary, computer forensics, etc.). Depending on the level of difficulty, the team can earn a certain number of points.
Competition attack-defense - this CTF slightly different format - not the solution of problems, but protection and attack.
Each team gets an image or access to a server on which to find vulnerabilities and fix them so as not to disrupt the serviceability of the service. The perfect solution when the computer was hacked - turn it off from the outlet. But for this they take points. We need everything to work, and rightly so. In parallel, develop exploits for the vulnerabilities found by their competitors and steal their flags.
In short, you need to crack the opponent before he hacks you. Attack and defend yourself. In our team there are specialists in defense, and there is an attack. For example, I am responsible for the attacks, and my colleague Nikolai Ovcharuk - the protection of our resources.
Our team has one particular advantage in such competitions. Often the images that are given on CTF are difficult to deploy - run at home. To do this, you need strong skills in system administration, and Nicholas is a professional system administrator who can overtake rivals for about an hour in speed. This gives our team a head start - as long as they lose points for a non-performing service, we already have everything working.
Dcua exists only five years, and this year Ukrainian white hackers were the best in the world in the CTF rating. How did you do it?
We were originally a pretty strong team. In 2012, immediately entered the top 30 in the world, in 2013 they took the fifth place, 2014-2015 were at the sixth, and now we have reached the first.
It was possible, probably, thanks to involvement. Most of the students who came to us were trained in practice: a couple of trainings, and they already participate in competitions together with the main team. To learn how to play CTF, you need to constantly engage. The guys sit every weekend, decide something.
The CTF itself is quite young. The first competition was organized in 1995, and it reached the post-Soviet countries only in 2004-2005. Russian teams have an advantage over the terms of participation - there is a team that has been participating since 2006. They are more experienced, but we, as you can see, do not lag behind.
How many CTFs did you participate in and how many victories?
For five years of existence dcua took part in about 250-300 competitions - both on-site and online. Approximately in 10% of cases, we took the first places, also often took prizes. As a rule, the team was among the top ten.
There is development in terms of the number of pure victories, but at the same time we see in which directions there is room for growth. In particular, the development of binary exploits is a very complex topic, for which experts are always lacking.
In the CTFtime ranking, we bypassed the nearest competitors by about 200 points. This is 2-3 competitions. If they took first places in them, and we did not participate at all, they would bypass us in the ranking. But we need to understand that we can not go to all competitions - it's very expensive. Many such competitions dcua missed, respectively, not gaining points on them.
Sponsors have not been found?
We are assisted in the KPI - there is a fund for students, which reimburses up to 50% of the cost of participating in such events. But the sponsors were not found - we finance dcua from our own funds. Some of us have our own business, and spend some of the money we earn for the competition.
How much does it cost to travel to international competitions?
Differently. Sometimes the organizers pay for the trip and accommodation - this was the case when we went to competitions in Romania and China. But that rarely happens. On a trip to Paris we spent 36 000 UAH. In the near future we are going to Amsterdam, and according to the most conservative estimates, with the road and accommodation in some hostel, it will cost about $ 800 per person. And the most expensive trip was to Las Vegas - for $ 2000 per person.
And there are cash prizes?
There are, but they are incomparable with prizes in e-sports. In the Starcraft or Mortal Kombat Championships, prize pools sometimes reach millions of dollars. The gaming industry is spectacular, there are a lot of advertising and sponsorship.
CTF, in turn, has a practical application - tasks are something from real life. But there is no hype around the competition. Basically prizes here are at the level of $ 500-1000, the historical maximum is $ 10,000-15,000. We in dcua have won $ 4000-6000.
How do you prepare for the competition? Are there any workouts?
Yes, they are held in the CPI, in the auditorium 314, on Wednesdays from two o'clock and have the status of an optional course on information security. We have equipment, methodologies - everything you need. The course is free and completely open for students, graduate students, enthusiasts - anyone can come. On a non-profit basis, of course. If an information security branch of a bank comes to us, then the training will not be free of charge
In addition, after each competition for those tasks that have not been resolved, we are looking for a solution from other teams. Often it is published either by the organizers of the competition or by the teams themselves. You can see the solution or find an alternative approach to the task, study the techniques of other teams. We will learn all this after each competition.
In general, white hackers from around the world exchange knowledge and experience. This is our social and information mission. Sometimes, however, the knowledge is not strictly professional. For example, our South Korean players are entertained by the fact that they go to CTF and learn the curse of other countries.
Haha, I hope you have taught them a strong Ukrainian vocabulary?
Better. They are trained "Glory to Ukraine!" - "Death to the enemies!", "Bandera is our hero!", Know the translation, the meaning, they got the context explanation, and are warned that in Russia for such greetings one can officially be accused of extremism, and in Poland to be unofficially beaten. But the warnings had exactly the opposite effect - our walking international scandal ran to test new knowledge on the Russian team. The expression of perplexity on the face of intelligent St. Petersburg hackers is invaluable - the vocabulary of Anna Akhmetova's poetry (classic) was enough only for "WHAT?" ...
In fact, there are many amusing cases. Specialists who go to competitions, as a rule, possess unbearable intellect, and accordingly, a good sense of humor. Often the humor is rather refined, not all jokes are understood. But it does not get boring.
And by the way, why did foreign players decide to join you, and not to the teams of their country?
We have better conditions for them. For example, if the competitions are held in Japan, we will not charge for sending 5 participants from Ukraine - it costs about $ 2000 per person. A ticket for a plane from South Korea to Tokyo costs only $ 100, so it's easier for us to send them. In dcua, two Koreans go to both competitions in Asia. If they were in the Korean team - they might not have gone, they will suddenly send the others.
Plus, our educational component is very good - they can always count on help and answers to all their questions.
In addition to the economic component, how do you choose who will participate in competitions from dcua, if there are restrictions on the number of players?
As a rule, the competition is held by another team, and we know what they are specialists. Most likely, it is in this area that they will also assign tasks. Therefore, we select people who have appropriate skills.
And how do you select new members?
If a person expresses a desire to participate in CTF, we give him several tasks from past competitions or from continuous (there are so-called Wargames - the same tasks as CTF, but they can be solved indefinitely without time restrictions) How he copes. And it is important not just how many tasks he decided, but how systematically he approaches them. We want to see progress, meaningful search.
We have a lot of beginners in the team - first-year students, even schoolchildren have. There are no restrictions on age or any other parameters.
An important criterion of passage in dcua is the absence of self-deception. Those who consider themselves to be the most intelligent and beautiful, and the rest are dull dilettantes, get bad accustomed. Of course, we do not expel them, they quickly realize that apart from them there are more intelligent people in the room. And, such 80%. Some people can not accept it and leave themselves.
Was it that your members were enticed into other teams?
They can leave at any time at will. But there is a rule: if they act in the composition of our team, they do not have the right to participate in parallel simultaneously in another, as long as they have access to our solutions. If such is revealed, they receive a lifelong ban without the right of restoration. Such cases were.
There is a global rating of teams of "white hackers", and is there a rating of players?
Yes, but this is another area. There, games are not limited in time, and in order to keep in the rating, you need to constantly play only. They are good for preparing students, because you can join them at any time, and among professionals in information security this is not very popular, because it interferes with the main job. CTF also take place on weekends, so as not to conflict with the working week.
I have not been playing individual competitions such as wechall.net for two years already - it takes too much time, adding little to skills.
Are there still strong teams of white hackers in Ukraine? In the CTFtime rating, I saw them, but they did not even hit the top 500 ...
In Kharkov there are teams that participate in the CTF. Individual conferences are held in Odessa, Lviv. But this movement in Ukraine is still very weak.
CTF is a pretty tough test for qualification. You can open as many profile chairs as you like and talk about how steep they are, but the level is demonstrated precisely in a competitive environment.
To participate in CTF, you need to have the courage and not be afraid to look like an idiot.
There were times when we took the 18th place. It is important not to drop your hands, but to analyze mistakes and improve.
It is better to be a fool once, but to find out your weaknesses and eliminate them, than not to find out and remain a fool for life. Not all of this is borne out, and there are no fights for CTF - you can immediately see who the samurai is and who is not.
On foreign resources dedicated to CTF, dcua is respected and often mentioned. That is, the team has already formed a certain reputation abroad?
We are quite a known team, just in Ukraine the area of information security is not popular. In other countries, the results of CTF competitions are tracked, sometimes used to find specialists in special services, national cyberinitiatives. There it is taken seriously.
And yes, in the world arena the Ukrainian dcua has the reputation of one of the best teams of white hackers.
Only in Ukraine they do not know about this ...
Why, they know. Domestic security services know very well. They tried to attract us a couple of times ... But they can not be contacted directly with anyone - you can get into slavery. On cooperation with them, the university cooperates. This is also a state structure, they speak the same language - they conclude official contracts, hold tenders.
We can help the special services, but only consulting - when it does not require special permits or violation of the law. Because we do not have access - we can not show state secrets.
At the same time Ukrainian gossays are hacked regularly. And at what level does cyber security in Ukraine, in your opinion?
There were mixed jet fighters and carpet-planes. Some understand how serious it is - they build security systems, regularly audit. And there are those who have a sysadmin for all occasions.
Tyzhprogrammist, you know how to "reinstall", reinstall, and then take care of security. And this is not anywhere, but within the ministries.
The main problem is the lack of a systematic approach. There is a legislative base - they wrote many by-laws and normative documents, but in practice there is no one to provide it. There is a CERT-UA. By the way, at us in dcua the former head of one of technical departments. But there are ten people in the response team, and 150 in the general cyberstructure, of which 60% do not know how to work with a computer at all. They write all these acts, but they can not hide from external aggression. And people who can audit gossain and point out vulnerabilities, no.
Such specialists are expensive, the state simply will not pay them that much.
It would be possible to drive out those 60% and recruit a small team of specialists. Now, with a salary of 4500 UAH and the restrictions that the state imposes on civil servants and the same military contracts, the specialists are demotivated. They do not feel the prestige of their specialty.
And still it is necessary to give the possibility of CERT-UA to involve external specialists in narrow profile vulnerabilities. Even not on a commercial basis, even for one hryvnia - but officially, experts will go, at least for the sake of PR. The mere fact that he officially enlists the help of CERT-UA, says that he is highly qualified.