[HN Gopher] Wargames can help you to learn and practice security...
___________________________________________________________________
Wargames can help you to learn and practice security concepts
through games
Author : azalemeth
Score : 162 points
Date : 2021-12-29 13:27 UTC (9 hours ago)
(HTM) web link (overthewire.org)
(TXT) w3m dump (overthewire.org)
| pwillia7 wrote:
| I've gone through a few of these a couple years ago and it was
| FANTASTIC. I've always been interested in black hat stuff but
| never even really took a glance at all. Bandit was a ton of fun
| and I made it most of the way through natas and learned a bunch
| there too. Highly recommend.
| howLongHowLong wrote:
| I saw this while taking a smoke break in the middle of playing
| "Bandit." It's definitely making a lot of concepts (especially
| ssh/ssl usage) clearer and more intuitive through use. I look
| forward to playing the other games there.
| slickdork wrote:
| I played about 3/4ths of bandit. I'm curious your play style:
| do you google specifically the problem (NOT the literal bandit
| problem ("bandit24 solution"), but the general solution needed,
| i.e., "how to recursivly decrypt") or do you read the man pages
| trying to find the solution?
|
| It felt like I was basically decoding the problem, then turning
| to google for the answer, and it kind of felt like cheating.
| But that's also how I'd operate in the real world, so I guess
| it's not cheating?
| howLongHowLong wrote:
| I think it's designed that way, i.e. figuring out how to find
| solutions generally is one of the skills its trying to build.
| The man pages from the "possible commands" and the linked
| articles generally have enough information to get me through,
| and if not, they have enough to put my research in the right
| direction. The fringe benefit is time spent running down the
| wrong path actually results in me learning other useful,
| related things.
|
| I put it down and come back to it, too. Each time I start
| from the beginning, and more bits are just in memory, and
| looking up specific commands is more about remembering the
| options than trying to figure out how to do it. When I first
| started playing, google was my main source but I've started
| turning to the man pages first, because it ends up being less
| effort digesting that than reading through a bunch of fluff
| to get to my specific use case.
| boneitis wrote:
| It's probably also worth noting how old a lot of these
| games are. Bandit, for example, looks like it was released
| in '12. Back then, I imagine there weren't straight-up
| solutions plastered in every direction you looked.
|
| As an industry junior now, I get asked all the time on how
| to get started. Out of desire to not give a gatekeeping
| response, I can only shrug and point people to OTW-
| Bandit/picoCTF and tell them to try to do what they can on
| their own but Google every answer if they have to.
| Everybody's got to start somewhere [e: snip].
|
| I'll freely offer kudos to anyone with zero knowledge who
| even manages to go through a handful of exercises while
| looking up every answer if they otherwise would have not
| done anything hands-on at all.
|
| I should probably tweak my response a bit by adding a
| standing offer of approachability if they actually give it
| a shot and get stuck on those particular CTFs I suggest
| them.
|
| Oh, and yes, I have encountered many a CTF problems with
| very poor problem descriptions. I often don't feel bad
| about searching around deeply in those cases, if it's not a
| live competition.
| howLongHowLong wrote:
| Its not too difficult to just ignore all search results
| that reference "bandit" or "overthewire", and thus have
| an identical experience to before. I suspect there were
| places on the internet in 2012 where people discussed and
| disseminated bash tips and tricks.
| [deleted]
| indigochill wrote:
| Reading the title and before I saw the link, I thought this was
| referring to games like Armored Brigade or Red Dragon (always be
| reconning, find a weakness to exploit, execute, or conversely
| stop enemy recon and conceal your weaknesses). Both kinds of
| wargame require a similar process to be successful, even though
| OTW's wargames are more relevant to computer security (and a
| great place for beginners to start! Highly recommended).
| openasocket wrote:
| The actual term of war gaming dates back to the 19th century,
| where generals would simulate battles or campaigns to practice
| and determine the viability of strategies. Modern militaries
| will conduct war games (distinct from military exercises,
| though sometimes both are done together) involving dozens of
| people on each side. I actually think that would be pretty cool
| to try and implement for cybersecurity, having multiple people
| working together as an APT group, or a security operations
| team. Especially if you have both sides competing against each
| other. I imagine that would be really difficult to implement,
| making it realistic while not having it take months to play.
| mcguire wrote:
| There are certainly such games existing, although I can't
| recall any particular cybersecurity games offhand.
|
| One resource for more entertainment games is the megagaming
| thing (https://megagamecoalition.com/ is a starting point):
|
| " _Megagames combine the physical mechanics of board games
| with the fluid emergent gameplay of role-playing games at
| large player counts (40-80 players). Players are encouraged
| to be creative but must act within the existing game
| mechanics and established setting. Megagames range in time
| length, ranging from two hours to entire weekends. A team of
| moderators (Control) coordinate the game, adjudicate rules,
| and make sure players have the best experience possible!_ "
|
| Another semi-professional ("Professional games" being run by
| the DoD or various militaries for training or analysis.)
| option is the National Security Decision Making Game
| (https://paxsims.wordpress.com/2011/05/20/the-national-
| securi...). Pre-COVID, they ran a pandemic game several times
| that was at least somewhat prescient.
|
| Oh, and I'd be remiss to not mention the Connections group of
| conferences (One or more on every continent except
| Antarctica, I think.) (https://connections-wargaming.com/)
| They have discussions primarily of professional games, but
| topics like megagaming, cybersecurity, and the NSDMG are
| common---it's open to anyone who wants to take gaming
| seriously. There will be a (free!) Connections Online in
| Summer 2022; strongly recommended.
|
| The History of Wargaming Project (http://www.wargaming.co)
| has branched out to print several books on cybersecurity
| gaming. Naturally I can't get to their website now, but a
| couple are _The Handbook of Cyber Wargames_ (https://www.amaz
| on.com/gp/product/B086WMMYS4/ref=dbs_a_def_r...) and _Dark
| Guest_ (https://www.amazon.com/gp/product/B00J3OVJXG/ref=dbs_
| a_def_r...)
|
| There's a giant rabbit hole here if you're interested.
| astrobe_ wrote:
| "conceal your weaknesses"... Wouldn't it be "security by
| obscurity" ?
|
| I didn't play those games, but I expect at least one introduces
| the idea of defense in depth. A tower defense game, for
| instance.
| azalemeth wrote:
| They're really fun - thanks for sharing the names of some
| others.
|
| Although I'm not "new" I hadn't encountered OverTheWire before.
| The first one is indeed a gentle introduction, but I think the
| difficulty does then increase. I got through all of leviathan
| using radare2 (which, frankly, I feel like I am still
| scratching the surface of) and reading the passwords out of
| registers. After finishing it, I googled for others' solutions,
| and found very creative -- and totally different -- solutions
| to the same puzzles, almost none of which involved something
| like gdb or r2 at all.
|
| They very much feel like the traditional "book of Christmas
| puzzles", but for the HN audience that likes solving them
| interactively.
| indigochill wrote:
| Well, the ones I named are more "wargames" in the traditional
| sense: tanks and planes and stuff. But as I mentioned, the
| principles of reconnaissance and exploiting weaknesses are
| the same, which is interesting.
|
| For more computer-oriented wargames, I really enjoyed what
| I've done of Microcorruption (if you're into radare2 sort of
| stuff) and wechall is a challenge site tracker that has links
| to many other similar games as well as being a scoreboard
| that you can track your progress on all participating sites
| on.
|
| Or if you like competition, CTFtime.org is a live calendar of
| many computer security capture-the-flag competitions you can
| join. If you're interested in that but want to join a team,
| OpenToAll is a team that welcomes anyone to join and talk
| about challenges.
| javajosh wrote:
| Interesting. After some initial trepidation (because hey I don't
| know what a sophisticated malefactor could do to me through my
| terminal program!) I connected and started playing. I have to
| admit it's a little thrilling to connect to a strange ssh server.
| It is clearly a strange environment - it looks like users are
| differentiated by password rather than username, which is quite
| odd. A clever if confusing convention for a game that presumably
| wants to teach you sk1llz0rs. Based on the instructions, it looks
| like it's just a normal VPS running somewhere.
|
| I would personally love to know more about how you secure a host
| for this kind of use! Of course this seems very low stakes so
| maybe if your ISP notices a problem you just nuke the instance
| and provision another one? This would explain why they only allow
| you to write into /tmp which probably isn't even near persistent.
| venamresm__ wrote:
| This website regroups most of the other wargames and their
| points: https://www.wechall.net/
| grantjpowell wrote:
| I learned basic command line skills from the "Bandit" game[0].
| Huge fan of the genre and it's one of the things I always
| recommend new developers.
|
| [0] https://overthewire.org/wargames/bandit/
| syngrog66 wrote:
| to save the more "mature" folks time: the OA does not mean
| wargames. (not things like Panzer Blitz or ASL or Empire of the
| Sun)
| JoeDaDude wrote:
| Or for those really really mature, the OA does not mean
| Kriegspiel.
|
| https://en.wikipedia.org/wiki/Kriegsspiel
| spacemadness wrote:
| I'm assuming it's referring to the movie by the same name that
| released in the early 80s about hacking and thwarting an AI
| that's trying to start a nuclear war with Russia.
| k1rcher wrote:
| This is brilliant.
|
| I remember coming across these a few years ago, and the
| recommended starting game Bandit was way out of my depth.
|
| Now, several years later, I was able to blaze through Bandit in
| no time at all! And, learn some really cool and nifty tricks and
| techniques I had only read of/seen in passing previously :D
|
| Excited to tackle the next one.
|
| EDIT: It was also pretty fun to come across artifacts of other
| players when working in /tmp/ :-)
| dang wrote:
| Past related threads:
|
| _The Bandit Wargame_ -
| https://news.ycombinator.com/item?id=29708304 - Dec 2021 (1
| comment)
|
| _OverTheWire: Wargames to learn and practice security concepts_
| - https://news.ycombinator.com/item?id=16252873 - Jan 2018 (23
| comments)
|
| _Wargames_ - https://news.ycombinator.com/item?id=9878302 - July
| 2015 (17 comments)
|
| _Wargames_ - https://news.ycombinator.com/item?id=9017252 - Feb
| 2015 (1 comment)
| underdeserver wrote:
| Wargames are great. Vortex has been around for a long time and
| really gives a sense of how memory-corruption based software
| exploitation looks like.
|
| If you liked that, check out https://ctftime.org and writeups
| from the top events (Google CTF, hxpctf, PlaidCTF are some
| examples).
| kafkaIncarnate wrote:
| While I appreciate the need to curb potential cheating, and
| I've participated in a few (one at my alma mater, one at
| DefCon, if you want to count Build It Break It Fix It, and a
| couple others), I really personally don't like the format of
| CTFs. The chaos and rush of everything just turns it into an
| adrenaline frenzy (and people challenging rules) and not a
| skills or technical analysis, and that's not as fun or skills
| learning to me personally. It's kind of like cosplaying Elliot
| from Mr.Robot or something.
|
| But to each his own, I guess, I'm getting older I guess and the
| lost hair and stress from my regular blue team infosec job is
| starting to catch up to me. I like the format of these
| OverTheWire Wargames a lot since you can do them at your own
| pace, not that I'd likely learn much from them (hey who knows!
| I'll try them anyway).
|
| I also really enjoyed the NSA's codebreaker challenges
| (https://nsa-codebreaker.org/challenge), they give you 6 months
| just relied on the challenge being so insanely difficult that
| it would take a lot of technical skill to actually accomplish
| (though I think you have to have a .edu email to sign up).
| Heavily reliant on reverse engineering, memory tracing,
| debugger skills, disassembly, etc.
| underdeserver wrote:
| Many CTFs keep their exercises available after the
| competition itself. Many of them also have Dockerfiles in the
| downloadable part too so you can run it on your own box.
| [deleted]
___________________________________________________________________
(page generated 2021-12-29 23:01 UTC)