Ever since I am involved into different “IT security” contexts, I regularly stumbled upon Capture the Flag (CTF). CTF is a special kind of information security competitions.


In a CTF, many teams from all over the world compete in interesting challenges against each other. Such challenges cover different information security topics such as reverse engineering, cryptography, binary exploitation, forensics and web security. The goal is to capture flags. Flags are small pieces of information, which are hidden somewhere in the challenge. They often look like this: ctf{this_is_a_flag}.

There are mostly two different kinds of CTF. In the more common Jeopardy ones, teams have to solve challenges given and hosted by the organizers. In the far less common attack-defence ones, teams are given some services by the organizers and need to run (and defend) them on their own infrastructure, while at the same time attacking the services of other teams. I’ll spare you the details, read more about CTF at CTFtime.

Ever since I know that CTF exists, I wanted to participate in one on my own. But I never knew where to start. It needed some teaching assistants of TUGraz’ (very awesome) Security Aspects in Software Development lecture to finally help me jump into the cold water.

So it happened last December that I found myself in a seminar room full of people like me, playing RuCTFE 2014. RuCTFE is one of the earlier mentioned rare attack-defence CTF. I managed to help solving a service. We managed to solve it way too late, but we learned a lot. In the end we collected some flags and made place 62 (out of 115 active teams).


Fast forward to December 2015, about one year later. I got addicted and more or less successfully participated in a few more CTF over the year. I enjoyed most of them and learned a lot.

So what’s next?

All over the year, the group of people participating in our team grew, but changed a lot. From the beginning on, this group of people called themselves LosFuzzys. The group met on a irregular basis to participate in some competitions, but had otherwise no forum or similar setting to discuss challenges & exchange knowledge.

This started to change in the last months, and really got up to speed in the last weeks. Mike and myself started to better organize LosFuzzys and coordinate our efforts. In addition, we started systematically telling people about our team and organizing meetups.

It was important to me to cover the topics of ethics and ethical hacking (we even have a manifesto!). In addition, it was (and is) very important to me to create a welcoming atmosphere and to welcome everyone interested. This also means kicking out those who don’t respect this values if needed.

The effort of the whole group already bore first fruits, given our November 2015 results:

It can be seen that a lot is possible if we focus our efforts and coordinate the team.

It is thus our plan to continue organizing LosFuzzys as a team towards building a student-organized group of people who not only participate in CTF but also meet to exchange knowledge about information security (infosec).

So, if you are interested in the mentioned topics feel free to join us! We welcome all people interested in infosec, regardless of experience or student-status!

Where to start? Check out our homepage at losfuzzys.github.io and visit our December meeting.

Update: December turned out to be great, too!