BSides Calgary 2026 CTF

Hi everyone, it's Alex and Doug here from Bides Calgary with and we have about 10 days to go until the actual conference starts. So, we just wanted to take this time to try and give everyone a little bit of an update and some maybe some teasers and hints uh about the upcoming CTF this year. Right on. So for anyone who hasn't heard of capture the flag or CTF, it started out as military training exercises, but the hackers have co-opted it that term and they they use it to just this activity where you use computers to break into digital targets or you pull down digital evidence and you perform analysis. Um, so what was your first

CTF, Alex? When I was at the University of Calgary as a student, uh I uh started a club that a couple people may be familiar with, the infosc club, you Calgary. Um and something that kind of grounded that club was our playing CTFs together. So I didn't know anything about cyber security at the time. So I actually played in PICOTF to learn which is a CTF put on by Carnegie Melon for beginners, but it's asynchronous. So it doesn't happen as like one big competition most of the time. it. The challenges are just static on a website and I use that to learn. But I didn't really start liking CTFs until I played in a CTF called TU CTF, which

was a live CTF with my friends. Um, and we got together in math sciences, which if you've ever been to the University of Calgary, it's a very old 60sesque uh dungeon building where there's no windows. Uh we got together at night um and we were trying to do a very very basic buffer overflow. Um it took us about 14 hours. Uh we stayed there until about like 3 4 a.m. trying to get it. Um and we got it. It was my first ever like true live CTF challenge. Uh and we didn't get a single other challenge in that CTF. But it was so fun to do it with friends and figure out those technical skills live um with other

people supporting you and having ideas. >> Absolutely. And I think we we discount we always have this image in our head of, you know, somebody with a hoodie and they're listening to techno and they're just typing. And yes, we all nerd out by ourselves and rage code and stuff, but when you're doing it as a group and you're learning and working off each other and sometimes people will you work this challenge, I'll work this one because you got to do both of them to get something to work. Ironically, this is a lot of how the criminal gangs work. They they each have their specialties. So, you know, start your own gang and come and win the CTF. Um, it's it's been

known to happen. >> Why do we run a CTF at Besides Calgary every year, Doug? Well, usually by this time of the challenge of getting them ready, I ask myself the same thing because they're a heck of a lot of work. But I see it as a real service to the community and others do as well and they have joined in and like yourself and the people that you've had helping us out over you know like stuffing 800 badges last year with 80 tiny chips and you know we've had testers help us out. um when you're hacking, if you don't have permission to ha attempt that on that system or you don't own that system, it's actually illegal

and there are people who go to jail for this legitimately. So, you don't want to just practice on any random thing you find on the internet. So, what we're doing at Bsides is we're providing an a safe place to learn this. Like you said, people are collaborating. Even perfect strangers will sometimes help. Hey, did you get that? I don't really know. How does that work? And I'll see people explaining it to another person who's never seen this idea before. So that's that's why I do it. I think it's a real need in the community and it's the one time a year where we can come and do it in person. It's not >> So something we've noticed over the

years at Bides is when people go to Bides, especially for the first time, uh they might be interested in playing the CTF. Um, it might be new and cool to them, but they tend to forget to bring their laptops to the conference. And I don't blame anyone who's done this. It might be your first conference. You might not expect there to be a hacking competition there. Um, but it really makes us sad because we put in a lot of effort into these challenges and we want everyone to be able to try them. But the one thing that everyone does get at the conference is a badge uh to dictate that they're allowed to be there, maybe put a

name on it, etc. So, we decided that why don't we leverage the badges themselves um and make them a part of the CTF since everyone gets them. Doug alluded it to it LA, but last year I was able to make a electronic badge, which is essentially a little dev board. You can see it lighting up right now with an AT tiny 85 microcontroller in it. One of the big goals with this badge was to get people to interact with each other. So not just alone trying to get that collaborative problem solving uh muscle to work and give people a chance to meet new people that they might have not spoken to otherwise. So the devboard itself was a

voltage divider that uh you needed to change up the circuit with this little jumper wire uh to make it give you more of a message which would eventually through a series of things lead you to a flag for the CTF. uh in order to get the whole message of the flag, you needed to divide the voltage by using other people's badges and other jumper cables that they would have got in their kit. Uh so we wanted to do something similar this year. So Doug, why don't you give them a little hint into what they can expect from the badges this year? >> All right. So we're going to give you the gears. Well, one gear. They're going

to get a gear and that gear interacts with things around the conference. And once you figure out one of them, you'll have to change your gear with somebody else and probably share a few notes on what you learned along the way. So it'll speed up you solving the rest of the challenges. But just like the dev board, even though you got all of the badges to work together and spell out the message, that only took you to another website with a whole new set of challenges. But we designed that particular game to be played on your phone and with your badge. And there was a number of points that you could get just even taking that

track. So um it's not like a consolation prize. This is definitely a difficult set of challenges that we do even with the badges. On to other challenges. Uh if people go check out the website, I think James Karens and Ann have been working on that. They're going to get an update and a full rundown on the CTF, but they're going to see we have some AI challenges this year. Now, Alex, you're a red teamer by day and but you built both red and blue AI puzzles. Maybe you can give give people a little background on that. >> So, a big benefit of CTFs in general is um it's a as you said a a safe way to

learn. Um, in my day job, I've started attacking more and more AI systems, uh, in different ways. Uh, and so it's something that's been on my mind a lot, but not everyone is going to attack AI systems. And if I've been attacking AI systems more, that means the requirements to defend a against AI systems or defend against AI attackers has also increased. So, I tried to build a good spread of both blue team defensive challenges where you guys get a chance to look into logs that um AI systems po possibly uh create and find malicious activity that way. Also, malware things that you'll have to reverse engineer. Uh more blue teamy challenges like that as well as what I

would consider uh my expertise of attacking AI systems as well. So, I tried to make sure there was a good spread for everyone so everyone can get involved and can learn something that they might be able to take back to their regular jobs or their regular life. What about this old school skills thing? >> Yeah. Right. Well, it it started out as a joke. I was having dinner with a couple other people of similar vintage, shall we say, and we were comparing notes on all the old stuff we used to run in companies and get paid for. And you know, sometimes you shake your head. But it got me thinking with all this AI stuff and of course I've seen Terminator

and the Matrix and a lot of those sci-fi things and it's always in the back of my mind. What if the computers turn evil? Well, I'm hopeful they don't, but one thing we can always do is remove the power because they stop working after that. And process control environments are how power is made. And they are also how everything else in our life is made. And besides, Calgary has been an IC focused CTF for a long, long time. We've always had from day one puzzles around that. But this is going to be secured literally like a C, you know, process control environment from, I don't know, 2000 2010 era. Like it's there's a lot of legacy security

controls and things that people coming into the industry have never seen and you're not going to be able to solve them the same way we solve kind of modern cloud attacks and stuff like that. It's going to be different. But if you're a critical thinker, you're a critical thinker. And our job is to think outside the box as as whether we're blue or red. if you're responding to an incident or whether you're creating the incident, it doesn't much matter. Um, you have to be creative because nothing ever works exactly like it says on the label or in the in the sales demo. So, you know, I think it's going to be a good well-rounded opportunity for people to explore a lot

of different avenues and, you know, I'm I'm really looking forward to it. But what what what can we say? Uh you need to come. When is it? That's probably the best thing. Tell people to show up. >> It's on Besides is on May 25th, 26th at Contemporary Calgary. Uh some people might know that as the Old Science Center. Um but it's on the west end of downtown Calgary. Uh registration will start at 8 a.m. that Monday morning. Um and we really hope to see you there so that you can come play in the CTF >> and stay for the afterparty. party that same night. >> They're having a party that night. So, hope to see everyone there. Thank you

very much. >> Thank you. >> What about this?