Manfred Paul

@_0xTen @LiveOverflow @_mixy1 (ofc some might argue "that means those challs won't exist in the long run". but that's just putting the burden on authors too to reject lots of good ideas, spend big money on AI tooling to test, plus the mental burden if "oh it got slopped anyways" happens)

@_0xTen @LiveOverflow @_mixy1 It's not just about the learning, 90% of the challenges being irrelevant is also unsustainable because that means 90% of the challenge author effort is "wasted". High quality challenges have *always* been the bottleneck of CTF.

ctfs are dead PLEASE PLEASE PLEASE stop making jeopardy ctfs. This is not fun at all to put effort into. Lets try and find a new format or something cause I'm gonna [redacted] if I see another ctf get half its challenges cleared in the first 30 minutes.

@gynvael If it's a different game for different people, at least call it something different too?

A better question is: Is it a format for the same people? My guess is that the answer is likely "no", and there will be a lot of reshuffling on the CTF scene.

@LiveOverflow @_mixy1 Some of the most fun CTF challenges I've seen were also the most detached from the real world. Who needs to pwn an apollo guidance computer or analyze minesweeper logic gates? These are "CTFy" because they value fun over practical use, not despite of it.

@LiveOverflow @_mixy1 I do object to the "CTFs are not a 'game'". Sure, they teach valuable skills. But that was never an invitation to see them as a value extraction tool or tie their worth to that. People didn't spend (unpaid) labor of creating challenges or writeups to make shareholders happy

@LiveOverflow @_mixy1 If FIFA allowed robot players, and 99% of accomplished soccer players said "we hate this, this ruins our sport", would we all go "this is just what the the word 'soccer' means now"? The community gets some say in what the word "CTF" means. And nearly noone there enjoys AI v. AI.

@_mixy1 Why is this bad? New CTF meta is AI assisted playing. The teams with the best AI tooling will win. Is that not a good new format? 😅

@LiveOverflow @luminaryxd And "flag is flag" has not been the only beautiful (unwritten) principle of CTFs. CTFs are about rewarding deep technical understanding, not outsourcing thinking; being (relatively) accessible to anyone with skills+motivation+time, not requiring investment of money.

@LiveOverflow @luminaryxd I don't think the numbers matter if the community isn't there. The bottleneck was always top players willing to put in the effort to build high-quality challenges for a handful of top tier CTFs, and I feel like motivation is starting to drain fast there.

What I’ve always found amazing about CTFs is that "flag is flag". Whether you found an unintentional solve or pwned the browser with n-day for a XSS challenge, it didn't matter. I totally get the frustration of AI, but there is no solution other than accepting the change.

CVE-2025-4941 - Trend ZDI analyst @hosselot details the Firefox bug used at #Pwn2Own Berlin by Manfred Paul. Includes root cause analysis and video demo. zerodayinitiative.com/blog/2025/7/14…

If you're a security researcher and in Germany, consider signing cysec-reform.jetzt . Decriminalizing research might not be the top political priority right now, but it's still important!

More important than ever!!

@ecsc2024 @MITAmalta @MITAmalta, this is not how you build up a cybersecurity community in your country. It was great to see a lot of ECSC players show their support people like @_mixy1 who faced both disqualification and legal action. As the vulnerability research community, we should do the same.

@ecsc2024 Only low point though was the lack of a Maltese team, apparently due to @MITAmalta blocking some of the (already qualified) team from coming after they were arrested for responsibly disclosing(!) a vulnerability in a student app in 2022. timesofmalta.com/article/winnin…

Had a great time playing for the German team at @ecsc2024, shout out to the organizers for putting on a really great competition!

This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n

@seanhn And while we're making accusations about "being unable to contemplate the wider consequences": There should be a red line there for a reason. It's the same line that says intentional backdoors are not OK. Or that some country you don't like shouldn't be allowed to do the same.

@seanhn I really don't get how that wouldn't be a "executive decision about a counter terrorism operation" then. If you don't want tech company to play on that stage, then them following a consistent rule of "if we learn about a bug, we fix it" is the only way to have that.

I am amazed at how many people are seemingly comfortable with middle managers at an ad agency taking executive decisions about counter terrorism operations.

@seanhn I'm confused, do you want them to make decisions about the operation (and not just the bugs) or not?

@_manfp The fact that you're unable to contemplate the wider consequences of "fixing and reporting bugs" in this specific context proves my point =)