TL;DR
Invited by the CTF president (a friend) to compete. Our team dominated the OSU Division. Sunday morning: silently moved to Open Division for having a grad student (me). No warning, no conversation - just institutional cowardice when we were winning.
The Warm Invite
fisher792: “You’re doing BuckeyeCTF, right? Do you have a team?” Me: “Can I participate remotely?” fisher792: “Yeah, you can.”
That was it. No fine print, no warning label. Just an easy, friendly exchange.
In hindsight, maybe I should’ve asked for a formal contract. Or at least a footnote explaining terms and conditions may apply if you start doing well.
When he invited me to join BuckeyeCTF, I didn’t hesitate. Why would I? This wasn’t just about competing in some CTF. This was about supporting something he’d been working on for months - his first major event as president of The Ohio State University Cybersecurity Club. His baby that he’d been planning and looking forward to. And he wanted me to be part of it.
So I said yes. Not because I’m a CTF regular (I’m not). Not because I desperately needed the prize money. But because someone I trusted, someone I cared about, asked me to be there.
Settling In
When the competition weekend arrived, I showed up early. fisher792 had asked me to help with setup, so I did. I carted balloons, helped check in students, and handed out t-shirts alongside the other officers. These weren’t strangers. I knew them. We’d hung out at club meetings, gone to their Halloween party. I had a volunteer lanyard, but I wasn’t on any official organizer channels. I was just there to support fisher792 and the team’s event.
Our team had three members. Kyle, a longtime friend of fisher792’s whom I’d met shortly after getting to know fisher792 about a year ago. Harry, a student fisher792 and I had both taught together last semester as TAs. And me. fisher792 hadn’t just invited us. He’d specifically chosen us, connected us, built this team himself.
We competed in the OSU Division, the team fisher792 had personally invited and assembled. I trusted that everything was above board.
We solved challenges, checked on each other, found our rhythm. Good people, fair competition, a few late nights fueled by caffeine. For two days, everything felt right. It felt like we were genuinely part of something fisher792 and the officers had worked so hard to build, and it was fun… exhilarating even.
The Unspoken Sin
I had a confession they never asked to hear: I was using AI assistance. Claude and GPT-4, to be specific. No rule against it. I’d asked multiple times - “Is this allowed? Is this a problem?”
“No problem at all,” they’d say. “Use whatever tools you want.”
But I suspect that was the real violation. Not being a grad student. Not breaking rules. But proving that their carefully crafted challenges, their months of preparation, could be conquered by someone who didn’t need to understand every elegant detail of their exploits.
I was treating their art like a problem to be solved, not a masterpiece to be admired. And I was winning.
First Place
By the end of the second day, our team had climbed to first place in the OSU Division.
Not just first. Dominant. That purple line on the leaderboard wasn’t just ahead, it was unreachable. Over 4,000 points while everyone else fought for position far below us.
We weren’t trash-talking in Discord. Kyle cracked Bugle. Harry solved Diglot. We were doing well.
The competition had good bones. The challenges were clever, well constructed. The Ohio State University Cybersecurity Club officers had put real work into this, and it showed.
A few more challenges to go, and we’d keep the lead. Maybe grab that $400 prize. Not that the money mattered much, if I’m honest. This was never about the cash. It was about being part of something fisher792 had poured months into. It was about showing up for a friend.
Apparently, excellence was the real violation.
Because on the morning of the final day (the 9th of November), I woke up, checked the scoreboard, and something looked off. Our team wasn’t in the OSU Division anymore. We’d been moved to the Open Division.
No email. No message. No announcement. Just silently shifted.
The OSU Division had a four-member limit and was restricted to undergraduates. The Open Division had no limit. In one click, we’d gone from leading our category to competing against massive external teams. Our placement was nuked in an instant.
The Message
fisher792: “Sorry Nick, we were just talking about it and it’s in the rules. I wasn’t as familiar as the others. Both top two teams had a grad student.”
No warning when I arrived Friday to help set up his event. No heads-up Saturday while we dominated the leaderboard. A single message Sunday morning, delivered after two days of silence while the problem festered.
The rule existed, buried a full page down on the event site. Easy to miss, easier to ignore - until inconvenient. Another team in our division had a grad student too. Even without their grad student’s score, they held third place. But they weren’t moved.
We were the anomaly. Not because of the rule, but because of the scoreboard.
The apology was careful. Self-deprecating, even. He admitted he wasn’t familiar with the rules, mentioned other teams had grad students too. All very reasonable on the surface.
But read between the lines. Nothing about personally inviting me. Nothing about assembling the team himself. Nothing about having two full days to mention this before we invested hours. Nothing about trying to defend us when it came up.
Just the rules. Clean. Simple. Institutional.
Hiding behind the shroud of enforcing rules. Rules are only enforced as far as the people in charge decide to enforce them. And The Ohio State University Cybersecurity Club decided to enforce this one on Sunday morning, after two days of watching us dominate, after I’d already helped run their event.
They had 48 hours to speak up. They chose Sunday morning, after we’d already won.
They knew I was a grad student. fisher792 had known for as long as he knew me, and so did most of his officers. They invited me anyway, assembled the team, let me help set up. Then we dominated. And suddenly, the rules mattered.
They couldn’t even give me the courtesy of a conversation. fisher792, the officers I’d worked alongside all weekend, none of them asked if I’d be willing to withdraw. I would’ve said yes immediately.
This wasn’t about the $400. It was about supporting something they’d built. And yeah, about proving that AI-assisted solving was viable. No rule against it. They never said a word about it… until we started winning.
But they never asked. They didn’t ask Kyle. They didn’t ask Harry. fisher792 had handpicked all three of us, assembled our team personally, and when the moment came to defend that decision, when any of the officers could have stepped up, they chose silence instead. It wasn’t just my trust they broke. It was all of ours.
They just made the decision for us, silently, and left us to discover it on a scoreboard.
I left the chat without replying. What response could possibly matter at that point?
The Post-Mortem
The Ohio State University Cybersecurity Club had two options when their president’s hand-picked team started dominating: celebrate an unexpected success, or protect their hierarchy.
They chose hierarchy.
Not immediately. First, they watched. Friday passed. Saturday passed. Only on Sunday morning, with our lead insurmountable, did they discover their principles.
In cybersecurity, we study human factors—how social engineering bypasses technical defenses. But we rarely talk about the inverse: how technical success can trigger social retaliation.
The real zero-day wasn’t in their challenges. It was in their egos.
I wasn’t asking them to break rules. I was asking for honesty. A quick “Hey, this might be awkward, but…” would have been enough. I’d have withdrawn immediately. But they never asked.
That’s what stings. Not the disqualification. The cowardice of avoiding a conversation.
The event ended. My team finished quietly. No one reached out after. No explanation, no apology, no “hope there are no hard feelings.”
Just silence.
November 8th: All smiles. They already knew what Sunday would bring.
So here’s my lesson from The Ohio State University Cybersecurity Club: it’s incredibly easy to hide behind rules when honesty feels uncomfortable.
I came to support a friend’s event. I left understanding why “trusted insider” is the most dangerous threat model.
Flag: bctf{rul3s_f0r_th33_n0t_f0r_m3}