This commit is contained in:
Ben Hays
parent
1062f27c36
commit
fa1011b265
31
content/posts/CTF-Woes.md
Normal file
31
content/posts/CTF-Woes.md
Normal file
@ -0,0 +1,31 @@
|
||||
---
|
||||
title: "Discord, mandatory Google accounts, and other CTF woes"
|
||||
date: 2023-12-30
|
||||
toc: false
|
||||
images:
|
||||
tags:
|
||||
- Security
|
||||
- Software Freedom
|
||||
- Hacking
|
||||
---
|
||||
|
||||
CTFs (capture-the-flags) are the preferred tool for many hackers and security researchers around the globe to improve their skills and even earn
|
||||
some serious prizes. They usually involve a number of teams collectively competing against each other, attempting to solve as many "challenges" as possible. The team with the most solves or "captures" wins. Often they may win serious prizes as a result like expensive hardware, tools, and even cash prizes. Plenty of of the top Information Security experts and companies advocate for their use, [whole talks](https://yewtu.be/watch?v=6vj96QetfTg) have been given to show their intrinsic benefits. However, despite their importance in the world of information security, they often utilize and require the use of tooling and services that betray the user with all manners of tracking and unjust control. I will focus on CTFs in this post, however many of the challenges shown apply to many other groups, most importantly open-source software development projects.
|
||||
|
||||
First, what does a CTF even need in the first place? First, you need a way of managing teams, challenges, and the scoring of points. Luckily, many
|
||||
systems have been developed to manage this task (See: the [very popular (and open-source) CTFd](https://ctfd.io/), or the [Awesome-CTF list of platforms](https://github.com/apsdehal/awesome-ctf#platforms)). However, things get more muddy when additional features get involved, like a communication channel for contacting staff/teammates, dedicated hosting for challenge files, or help-ticketing systems for managing issues that may arise during the competition.
|
||||
|
||||
In most cases, people tend to utilize software they have some prior familiarity with. Hence, the more people utilize a certain proprietary service in one aspect of their life, the more likely they may chose to use it in another aspect of their life (the same is true for FOSS software). Well, what chat platform has taken a large market share in the younger demographic in recent years? Discord. Well, what chat platform is utilized by CTF events and FOSS projects, and by association anyone who wishes to participate? That's right, Discord. It's a slippery slope, because as more and more people and projects use Discord, the more it becomes the industry and cultural standard. This is bad news for everyone involved (except Discord), because Discord [isn't exactly known for being pro-software-freedom](https://tosdr.org/en/service/536) (or really any proprietary chat platform you can name). They [ban users who access the service without using their non-free client](https://github.com/Bios-Marcel/cordless#i-am-closing-down-the-cordless-project). They also [retain data long after deletion requests](https://support.discord.com/hc/en-us/articles/5431812448791-How-long-Discord-keeps-your-information). TLDR: Don't use Discord, at all, especially if freedom or privacy is of any concern to you. If a project you know or are involved with is considering adopting Discord or creating a server, please urge them not to. [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) has been around for decades, and will remain the champion of chat protocols, with its many FOSS clients and supported features. If all you want is a fast, easy, and (most importantly) user-friendly way to chat with a few people (not 100's), then a platform like [Session](https://getsession.org/) might be the right solution.
|
||||
|
||||
For this post, I'll use the example of a recent CTF I participated in: [Potluck CTF](https://ctftime.org/event/2199). This post is not meant to throw shade at Potluck CTF (or any CTF organizers for that matter). They were super helpful and understanding during the event (and even fixed one of the issues that I encountered during the event). I'd invite you to check out their event and organizers, as they seem like great people. Anyways, on to the personal experience section...
|
||||
|
||||
Just as the countdown timer reached its final resting point at 00:00:00, many rushed to quickly access the challenges and their associated files. I did the same, as I didn't want to be left behind in the scoreboard by many of the skillful hackers and security experts I was up against. However, one thing got in my way: the challenge links. The CTF had chose to host the files and associated platform on Google Cloud, and for some unapparent reason Google required me to sign-in to my account to access the files. This wasn't doable for me, as I disable non-free JavaScript (and by association Google's JavaScript) and do not wish to make or sign in to a Google account. Well, this was definitely a problem, so I needed to contact the organizers. Well, where do they manage incident tickets and communicate with teams? Discord... Why is it always Discord!!
|
||||
|
||||
To summarize 30 minutes of conversation and waiting, this was (obviously) unintended behavior caused by Google's Cloud platform assuming that everyone must obviously have a Google account, so no worries if it requires one to access hosted files. The organizer managed to get a link that wouldn't require a sign-in (or JavaScript). However, the whole experience inspired me to write about this seemingly common experience of non-free software embedded in communities that are otherwise fairly software-freedom conscious.
|
||||
|
||||
If you're a organizer reading this, please just use IRC (or maybe something like [Revolt](https://revolt.chat/) if you want a FOSS drop-in replacement for Discord) for your communication. If you're really determined to use Discord in some way, please make an IRC channel in addition to a Discord server for the privacy-conscious people like myself.
|
||||
|
||||
|
||||
------------
|
||||
|
||||
P.S. If this article resonates with you, you may also enjoy [Drew DeVault's blog article on Discord's involvement in FOSS projects](https://drewdevault.com/2021/12/28/Dont-use-Discord-for-FOSS.html)
|
||||
Loading…
Reference in New Issue
Block a user