Cyber Fire events feel different than most Capture The Flag exercises,
because we focus on education.
Mistakes are important. We've found people learn best when they try things outside their comfort zone, so we do everything we can to create an environment where participants feel safe to make mistakes. Everyone is expected to treat their own mistakes, and those of other participants, as both positive and inevitable.
There are no prizes. We want the focus to be on learning, not on how to win the prize. We don't allow any sort of prizes at our events.
We expect creative mayhem. As a security analyst, you have to think like a "bad guy" in order to better understand what attacks might come next. We want you to be creative in your approach to solving puzzles, but we do have a few ground rules, mostly related to our being able to keep costs down.
Some Ways to get Kicked Out
In order to achieve our education goals, we have set up a few rules. We reserve the right to kick anyone out of our event for any reason, but there are a few things that might be okay in other places which aren't okay at Cyber Fire events.
Harassment is not allowed
Cyber Fire does not tolerate harassment of participants in any form. Read our Anti-Harassment policy
Network-level attacks are not allowed
SYN flooding, ARP cache poisoning, WiFi deauthentication, and other network-level attacks are not allowed. These are important techniques to understand and play with, but Cyber Fire events are not set up for this.
Attacking other participants' computers is not allowed
We have put a lot of effort into making the puzzles fun to attack. Go after those instead.
Cyber Fire's Data Collection Policy
Collected data is a liability. We only collect data we need, and dump it as soon as we can.
We know better than anyone that when the bad guys get in, they are after your data. We intentionally limit the data we collect to only things we must have in order to run an event. To register for an event, we ask for your email address, your name (to print on a badge), and optionally your phone number, in case we need to get in touch with you. We may also ask for a class choice, and for your to acknowledge some policies.
Our puzzle server only stores access logs (when pages were loaded and by what IP), and records when a team scores points. It asks your browser to remember your team token, but if you've told it not to, you can still play the event. When your browser renders the scoreboard, it downloads the entire points log (with anonymized team tokens) to render. Every time we make a decision on the server, we have to consider that everyone has all the data. This keeps us from storing something that could be damaging if it were leaked: if everybody has all the data, there's nothing left to leak!
Once an event is over, we delete all records of your registration, add your email (but not your name) to an announcements list, and retain only the anonymized events log used to render the scoreboard.