Hacking contest promotes security

Despite tough talk on computer crime, hackers--including some from federal agencies--are learning about defending networks by breaking into computers.

LAS VEGAS--The U.S. government continues to talk tough on computer crime, but here in the desert, hackers--including some from federal agencies--are learning about defending networks by breaking into computers.

The exercise is part of a Capture the Flag-like game that's known as Root Fu. The annual contest pits eight teams at the DefCon conference against each other in a test of network defense and hacking skills. Each team has to defend its own server and applications while trying to break into the servers of the seven other teams.

"This sort of adversarial testing shows what is possible--and not--with security," said Crispin Cowan, chief scientist at Linux security seller Immunix and the leader of the Immunix team. "We value this competition, because we think it is a better evaluation of security than common criteria."

Such comments conflict with tough talk from top-level U.S. officials who still look at hackers as a threat. Laws such as the Digital Millennium Copyright Act and the Cybersecurity Enhancement Act have focused on punishing hackers. But knowledgeable security experts see practicing such skills through Root Fu-like challenges as a necessary way to improve security.

"The reality is that you may have hostility at a high level, but the people who know their stuff decided to come," said Adam Shostack, chief technology officer for security start-up Informed Security.

Each team had to run five Web services on a variant of Unix known as BSD. The services consisted of the music streaming application IceCast, a Web news portal based on Slashcode, two ads, and a multiuser text-based role-playing game known as FurryMuck. Each team accumulated points for having the applications available. The longer a service was up, the more points its supervising team won. However, each team lost points if a service it was running became compromised.

Ghettohackers, the group of hackers who created and officiated the game, focused on making the competition a good measure of offensive and defensive security skills. Late Saturday, the Immunix team retained a large lead, but another team named Anomaly caught up to win the competition on Sunday.

Alan Harper, a security engineer with the , thought that competitions like Root Fu could help others understand that all hacking isn't bad.

Special Report

An underground school tries to
reprogram hackers' reputation.

"There is an understanding, more and more, of ethical hacking," he said. "The technique is the same, but the intent is different. It's not something that we have to hide from our peers at work."

Root Fu--a hackerish name that derived from the superuser's name on Unix systems, root, and the final syllable of kung fu--may have also settled a long-debated point, Immunix's Cowan said: whether hackers make the best defenders.

"The offensive attackers have been doing the best code auditing," he said. "They attack, find the holes and then tell the defenders on the team."

The experience underscores that knowing how to attack systems is a critical skill in learning how to defend them. Others have maintained that you can't trust hackers, but Cowan stressed that it's all about the ethics of the hacker.

"Hacking tools should not be illegal, but if I use them to break into your computer, then I'm a criminal," he said.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Details about Apple's 'spaceship' campus from the drone pilot who flies over it

MyithZ has one of the most popular aerial photography channels on YouTube. With the exception of revealing his identity, he is an open book as he shares with CNET's Brian Tong the drone hardware he uses to capture flyover shots of the construction of Apple's new campus, which looks remarkably like an alien craft.

by Brian Tong