Blog

Title: 2025 WRCCDC Regional Qualifier

This blog post will be on the shorter side. Last Saturday, my school competed in the WRCCDC. There was 27 teams that competed, and only the top 8 advanced to Regionals. Our school placed 16th out of 27 which isn’t amazing, but it’s not terrible either. It’s progress from last year where we placed 20th out of 22 teams. UCI dethroned Stanford this year. The top 3 teams were UCI, Stanford and then surprisingly SDSU. Cal Poly Pomona fell out of the top 3 this year and didn’t even qualify for regionals, which I found to be very surprising.

Here is the link to the results of the WRCCDC.
https://bsky.app/profile/wrccdc.org/post/3lhsatqjyok2l

I didn’t realize until after the competition that we could have Master’s students competing on our team. Most of the students that competed for CSUSM this year were undergrad juniors and one of our guys had to bail too so we only have 7 competitors. My ambition is for CSUSM to move up to the top 12 teams next year. If we can get some students that are studying for their Master’s degree, in combination with our more veteran competitors getting additional experience over this next year, I expect us to place a lot higher. I think top 12 is definitely attainable.

This year was particularly ruthless. Usually blue teams are given approximately an hour or so to set up some basic defenses and run some hardening scripts. It was barely 15 minutes into this competition before we identified the red team in our router. In addition, the Kubernetes CI/CD was an awful experience to try and configure, lock down, and secure. I still learned a lot and had fun though. We kept most of our services up for most of the day and I’m proud of how well we did, despite having about half our team being brand new. I didn’t really get a chance to even install or configure the Intrusion Detection System(IDS) though. I was tasked with trying to set up all the firewalls and blocking ports since no one else wanted to do it or had experience. That’s something I definitely need to get better at over this next year or so and get more comfortable with. WRCCDC is seen as one of the hardest collegiate cyber defense competitions, so I’ll be looking forward to more Hivestorm events that CCDC has that are more beginner friendly.

I don’t expect I’ll be competing in any other cybersecurity competitions this year unless it’s specifically a CCDC event. I need to turn my attention back to software engineering, midterms, prepping myself for summer internships, research projects, and my capstone project in the fall.

Posted on: 2025-02-17 01:17:34

---

Title: Title: 2025 WRCCDC Invitational

Long post incoming. I'll have to figure out a way of creating post previews, and then redirecting to the post content on clicking 'view more' or something.

Approximately two weeks ago, on Saturday, January 25th, I competed with members of the CSUSM Cybersecurity Club and members of the CSUSM MIS Society in a simulated cyber defense competition called the Western Regional Collegiate Cyber Defense Competition(WRCCDC). This competition was an invitational, meant to be the practice event before the actual regional qualifier coming up this Saturday, February 8th. Our goal in this competition is to assume a defensive role to protect a fictitious and simulated business or organization while we are being attacked from experienced offensive specialists. We are tasked with protecting systems, the network, maintaining service availability, providing customer service and IT related solutions to the orange team and respond to various inject requests that we are challenged with throughout the competition.

In my experiences helping lead the CSUSM Cybersecurity Club, I would say WRCCDC has been the premier, main type of event to prioritize throughout the academic year. In all of the Capture the Flags(CTFs) and other events we’ve participated in, WRCCDC has by far always been the best educational and entertaining way to test your skills and learn. I am biased and heavily favor defensive competitions over jeopardy style CTFs. Nothing really quite compares in regards to intensity, teamwork, knowledge, experience, and fun. It is a great bonding exercise for students, and a great way to learn some basic fundamentals that can be applied in the real world.

My main takeaway is that for a team to be successful in these types of events, there needs to be a lot of preparation work done by teams in advance that are competing in order to be competitive at a high level. The top 3 schools in the WRCCDC historically have been Stanford, Cal Poly Pomona, and UCI. UCR usually does well too- this invitational they placed 3rd. That being said, you can go in totally blind without a lot of experience or skill on your team and come out having had a blast getting owned by the red team and learning a lot in the process. CSUSM has a lot of room for improvement if it wants to be competitive in the future. Many of us in the Cybersecurity Club are also in leadership positions in many of the other clubs as well like ACM or Google Developer Student Club, so our prep work typically consists of doing a lot of research the night before as we are spread kind of thin. CSUSM only this semester started offering an undergraduate degree in Cybersecurity, so hopefully our club can draw more interest in the future and we can have more specialized students competing that are more experienced and determined to do great things.

For teams without a lot of experience, I would recommend trying to accomplish 3 things in the first hour of WRCCDC. First, work towards changing default passwords on systems. Second, patch/update all of the systems. Third, configure the router, firewalls rules, and block any unnecessary open ports. Red team to my knowledge usually gives teams a grace period of an hour before they start attacking, so if you can get those basic three tasks completed in the first hour, you are already doing better than half of the teams competing I’d say. The tasks I discussed are simple enough to where newer players can get a feel for things and feel like they are contributing or being helpful, while more advanced team members can work on more advanced tasks or injects. Red team will still find ways to use exploits to gain root access to systems though, so don’t think that’s all you have to do. Those are just the three simplest things you can do in the first hour to reduce your exposure to the low hanging fruit that an attacker might use.

One of the cool things that I got to put my efforts into this competition was installing and configuring an Intrusion Detection System(IDS). One of the injects given by the competition organizers was to set up a basic IDS to detect users attempting to escape their VM environments, or unauthorized users attempting to access a VM from outside the containerized environment. No one in our group previously had any experience with an IDS. I wanted to learn some basics, so I took it upon myself to take responsibility for the task and teach myself as much as possible as quickly as possible, to install and configure an IDS in the two hour window we had to complete the inject objective and create a writeup about the process.

I used ChatGPT to give me a basic summary on open source IDS options available, and make a recommendation based on my system and inject requirements. It recommended Suricata, and assisted me in installing and properly configuring the IDS. In about an hour, I went from having no knowledge of Intrusion Detection Systems, and no experience using an IDS to having a functional IDS detecting anomalous traffic, and some basic knowledge of how to set up and use Suricata. This is what I mean when I say how useful and educational these competition environments are. It is an excellent way to rapidly upskill, gain knowledge, and experience. If 8 students don’t know how to do something and then one of them figures out how to do that thing, now all 8 students know how to do that thing. If you’re not using an LLM like ChatGPT or something else too, you’re going to be at a significant disadvantage from people who are using it the real world. That entire process might have taken several days of research and troubleshooting, utilizing traditional methods, to go from zero knowledge to functional IDS. I was able to leverage ChatGPT to get all of the research, installation, configuration, and a how-to guide write up done in the two hour window of time allotted, so that I could shift attention to other areas of our environment that were under attack.

The WRCCDC Regionals competition is going to happen this Saturday, February 8th from 9am – 5pm. Last year was our campus’ first time competing in at least 5 years, and we got 19th out of 22 teams. Not impressive by any means, but for many of us, that was our first experience and we were trying to figure out the basics. One of our players accidentally nuked our router the last hour of the competition too and all of our services went down. This year, I’m hoping we place in the top 16. About half our current team is people from the previous competition, and the other half, this is their first exposure to cybersecurity concepts, so we’ll probably have to do a lot of teaching and handholding. Most of us aren’t even cybersecurity students though. For instance, I’m a Software Engineering student. I just have an interest in cybersecurity.

Anyway, my goal for this Saturday is to install and configure Suricata to be our IDS and Fail2Ban to read the Suricata logs and automatically ban IPs that trigger alerts. If I can get this done on the router in the first hour or two of the competition while the rest of the team works on the other 3 primary responsibilities I discussed earlier, I would consider that a success. We should be able to then focus our efforts on exploring other attempts at locking down and hardening systems. I think we’ll need someone to do more research on Kubernetes/CICE and preventing container-to-host attacks, but that might have to be someone else’s responsibility as I am under the impression I will be spread quite thin. It should be a lot of fun though, and as always, I am looking forward to the amazing memes the community will share throughout the competition.

Posted on: 2025-02-04 20:37:51

---

Title: Site security improvements

I've added some updates to the website. I've added client side and server side validation. Passwords are encrypted. In an effort to reduce spam, denial of service and brute force attacks, I looked into implementing a form of CAPTCHA verification for various form submissions. I noticed many websites are using Cloudflare Turnstile as a means of protection, so I looked into using it on my website. On Cloudflare's website, they boast,

"Unlike CAPTCHA options, Turnstile never harvests data for ad retargeting. You can preserve the privacy of your users without sacrificing effectiveness."

I implemented the Cloudflare Turnstile and configured it to work on my website. I'm not sure exactly how I stumbled upon this, but the pages that had Cloudflare Turnstile implemented also had 10 new additional cookies being stored. Interestingly enough some of the names looked like this:

cfz_amplitude
cfz_facebook-pixel
cfz_google-analytics_v4
cfz_reddit
cfzs_amplitude
and another having to do with adobe.

I was able to identify this by inspecting the page I was on, then clicking on Application->Storage->Cookies and then clicked on the cookies for my website https://sawyersieja.com. I could tell it was coming from Cloudflare, because they all had .cloudflare.com as the domain, and only appeared on pages where the Turnstile was implemented.

I don't know how Cloudflare can justify saying they care about privacy while at the same time attempting to sneak in undesirable bundled features that are tracking users on behalf of third parties. There is no simple way to opt out of these features while maintaining basic Turnstile functionality, and their customer support is essentially non-existent. Users of the Cloudflare Turnstile might implement this on a website under the impression that it's safe to use, however, it is possible that a web developer using the Turnstile may be unknowingly violating EU GDPR and other regulations due to privacy issues and data collection that is occurring.

If I did not stumble upon those cookies being stored, it's possible I would inadvertently be assisting third parties in tracking users on my website, which is not okay with me. Cloudflare is not transparent about this process and shouldn't be misrepresenting their Turnstile widget as being privacy focused, when it is clear it is not.

Instead, I've found a better option, hCaptcha. hCaptcha is open source, actually cares about privacy, and is more customizable. There are no attempts to hide cookies or misrepresent itself that I've identified so far. Cloudflare has lost my trust and respect as a developer, but hCaptcha has gained it.

Posted on: 2025-01-14 21:57:32

---

Title: Vague Roadmap

Sooo, I had a bunch of content already written for this blog post. It was pretty long. It went into more depth about current progress, and future changes to come. Unfortunately, I got to learn more about session timeouts. When I attempted to post the blog and send the information to the database, I see that my session id timed out and I lost everything in that post. A learning lesson for sure, and something to add to the list of features for the roadmap to implement for quality of life improvements. I’m just going to drop a tl;dr for now of what was in that post:

-Functionality now, design later
-Search Posts
-Filter Posts
-Implementing Post “Likes”
-Improving categorization system
-Better menu structure
-Responsiveness
-Design overhaul
-Improved input validation/sanitation
-Resume page more interactivity and links to source code and repos

Posted on: 2025-01-12 00:10:47

---

Title: Hello world!

Hello world! If you are seeing this message, then I have successfully configured the backend with the database for this blog. This makes me happy. I hope to continue to expand on this making cooler stuff that makes both of us happy.

Posted on: 2025-01-11 00:57:47

---