Culture

Defcon hacking challenge swings a sledgehammer at unlucky computers

Whatever you do, don't roll a 4.

Alfred Ng Senior Reporter / CNET News

Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.

See full bio

Alfred Ng

Aug. 15, 2018 5:00 a.m. PT

5 min read

It's Saturday morning at Defcon, and eight players are racing to solve as many hacking challenges as they can within two hours.

But the crowd at Caesars Palace isn't here for that. They want to see someone's computer get smashed.

A player known only as "That Guy" is the first unlucky contestant to get randomly selected to roll a 20-sided die. After rolling a 6, he lets out a groan, and accepts his fate: A man in a hot dog suit is going to drop a five-pound kettlebell on his laptop.

I'm at the first ever d(struct)20 Capture the Flag contest at Defcon, the annual hacking conference held in Las Vegas. Along with villages on hacking IoT devices, smart cars and voting machines, Defcon also hosts competitions on the side, often with twists. The new Capture the Flag, or CTF, event just happens to have a destructive catch.

Though Defcon lasts just three days, hacking and cybersecurity are year-round concerns for just about everyone now. Most infamously, perhaps, there's the Russian hacking of US elections, which surfaced in connection with the 2016 presidential campaign and continues to this day. Tech giants like Google, Facebook and Apple offer bug bounties -- payments up to $550,000 -- to hackers who find flaws in their products. Even at the household level, people have to worry about their routers, smart thermostats and security cameras being tampered with.

The rules

In typical CTF competitions, entrants tackle a series of computer-hacking challenges and try to capture digital flags.

The d(struct)20 event ups the ante, though. Every 10 minutes, a random player is picked to roll a 20-sided die, and as in Dungeons and Dragons, the role-playing game that also uses a d20 die to determine a player's progress, the lower the number, the worse the outcome. For example, a 20 would mean you're safe, but a 4 would mean your laptop gets introduced to a sledgehammer.

One of the hosts, a representative of the fictional Church of Wi-Fi, holds the 20-sided die that determines a computer's fate.
Alfred Ng/CNET

"Anything 8 or below, your machine is probably going to die," Daniel Crowley, the event's organizer and a research director with IBM's X-Force Red cybersecurity unit, told me in an interview the day before the contest.

Players are allowed one backup device. If your first machine gets trashed, you can continue for as long as your second device survives.

Each time you roll the die, you're awarded 300 points, and players can volunteer to roll for an extra advantage. You just have to hope that the strategy doesn't backfire and eliminate your device.

"One of the ways you can rack up points is by building an insanely rugged machine," Crowley said.

The competition lasts two hours. Whoever has the most points by the end wins.

Get rekt

On stage, there are three Panasonic Toughbooks, laptops marketed for their ability to take a beating. Panasonic didn't respond to a request for comment.

Dan Hoetger is behind one of those Toughbooks, which he bought on eBay for about $30, specifically for the contest. In the line to get in, he told me he didn't expect it to survive.

"I kind of want the sledgehammer," Hoetger said. "I want to really see what this Toughbook can do."

Other contestants have brought Raspberry Pi computer boards in plastic cases, netbooks, and, in the case of one brave entrant, a phone. A few have brought external monitors so if their computer's screen breaks, they can still compete.

"Thank you for choosing to play in the only CTF where your computer can be hit with a sledgehammer," Crowley says, as he kicks off the competition. "We had a lot of destruction methods we couldn't use, because apparently Caesars doesn't like liquid or fire."

Watch this: Hackers take on new voting machines at Defcon

01:41

For safety reasons, Crowley had to set up a "kill zone" under a canopy closed off by clear vinyl, so shrapnel couldn't hit the crowd. And then for reasons unexplained, he had a man in a hot dog costume be the person behind the destruction.

After his Toughbook survives the kettlebell, That Guy is in the lead with 300 points. After another 10 minutes pass, a player named "The Duke Zip" is randomly selected.

He rolls a 1, the worst possible number you can get. A 1 means he has to reroll twice. He hits a 13, and his laptop gets dropped on the floor. Then he rolls a 12, which means having a rare-earth magnet rubbed on his computer, potentially scrambling the data on it.

At @d20ctf where players solve coding challenges and every 10 minutes they roll a d20 to get their computers wrecked.
This one rolled a 13 to get his laptop dropped. Still works, still in the contest pic.twitter.com/LHliFfFKRs
— alfred 🆖 (@alfredwkng) August 11, 2018

The crowd winces at the abuse but erupts into cheers when Duke Zip shows that his laptop is still working. He's using a 10-year-old Acer Aspire One notebook, running Linux.

After surviving the back-to-back attacks on his computer, Duke Zip decides to test his luck and volunteeres to roll the dice again for extra points. This time he rolls a 7, which means Crowley takes out a Tesla coil gun and unleashes bolts of electricity at his computer.

To Crowley's shock, the laptop survives the Tesla coil gun, too -- despite the fact that, as someone next to me mentions, "it smells like melting plastic up here."

Then another 10 minutes passes. The random selector again lands on Duke Zip, and the crowd laughs at his misfortune. The laughter gets louder when he rolls another 1. That means two more rolls. First, a 4 -- the first sledgehammer sentence of the day -- but a 19 on his second.

The same guy got selected again after surviving a drop, magnets and a Tesla gun.
Rolled a 4 and got the sledgehammer, which finally killed this computer pic.twitter.com/nZTSlsWTup
— alfred 🆖 (@alfredwkng) August 11, 2018

After surviving a drop, the rare earth magnets and a Tesla gun, Duke Zip's laptop finally succumbs to the sledgehammer. After the execution, Duke Zip switches to his backup machine and continues trucking along, now with an additional 900 points, thanks to the sacrifice of his first laptop.

Meanwhile, Hoetger, with his Toughbook, has the most points, and hasn't taken any damage yet. He then volunteers to roll the dice, and the laptop takes a blast of cold, compressed air into its vents.

The Toughbook survives and he continues the coding challenges. As the game creeps closer to the two-hour deadline, more and more contestants volunteer to roll the dice. The Tesla gun destroys a machine. A sander takes out another. Several participants -- including the lone phone contestant -- look on as the sledgehammer dashes hopes and gadgets.

Hoetger volunteers two more times, getting the compressed air again, and then a kettlebell. The kettlebell finally kills his Toughbook.

"I knew that I wanted to go for the destruction play," he says, "because I don't want to take this home with me."

By the end of the challenge That Guy is the winner, with 1,210 points -- even though a later kettlebell also destroys his Toughbook's screen. Hoetger takes second place, with 1,160 points, and Duke Zip comes in third, with 1,150 points.

After several rounds of a sledgehammer destroying computers, I overhear an audience member say, "I don't know if I can watch another CTF again."

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.