Want CNET to notify you of price drops and the latest stories?

Putting fun back into hacking

At Defcon, the annual capture-the-flag tournament captivates players and spectators with a new back story, snazzy graphics and a tougher scoring system.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
5 min read
LAS VEGAS--In a dim section of the main ballroom at the Alexis Park Hotel, hackers were trying to break into the computer systems of current stock market favorite Weiss Labs.

A mix of teenagers to thirty-somethings, the hackers at the Defcon gathering here breathed second-hand cigarette smoke and quaffed Red Bull energy drink by the liter, their hearts beating to a techno rave track. They're a dangerous bunch, too: A hacker from the research arm of a rival company broke into the Weiss Labs server and found a flaw, causing the computer to eat up its own memory, finally crashing the system.

"They didn't get root, but they did manage to DoS us," said Crispin Cowan, head of the Weiss Labs' team. That is, the break-in didn't get all the way to the core of the server, but a denial-of-service (DoS) attack overwhelmed it with traffic.

That may seem like a blase response to a serious security incident, but it's in the spirit of things at Defcon. Cowan and nearly a hundred other hackers and security experts were playing the latest incarnation of the conference's hacking contest, capture the flag. In real life, Cowan is a chief researcher with Wirex Communications, a maker of security software for the Linux operating-system, and his fictitious company, Weiss Labs, was one of eight teams taking part in the contest.

This incarnation of capture the flag, the brainchild of a Seattle group of high-minded security geeks known as the GhettoHackers, pits rival hacking groups against each other in a game of corporate espionage. Each group has to maintain its own server while attempting to crash or take control of other teams' servers.

GhettoHackers made the game tougher by granting points only when a team's own server was up and running. In addition, groups had to provide certain services--such as e-mail, Web access and instant messaging--but the GhettoHackers didn't tell the teams which ones. Of course, the officials did provide teams with a default (one that is insecure) installation of an older Linux distribution that would satisfy the requirements, but that would be hacker bait if used without modification.

"There were a lot of things running on the system that we never told the teams about," said Robert Harvey, an independent security consultant and GhettoHacker member.

Each team earned points during the weekend event by keeping its server able to answer any data queries sent by the administrators. They also scored if, while their system was up and running, they took control of another server. Short news announcements featuring a white-faced geisha told teams whether they had scored a big hack or if they had sunk lower in the ratings.

The final results should be available at the Defcon site on Monday, and the Shmoo Group of hackers intends soon to publish the network sniffer logs, detailing all the attacks.

During the game, the teams sat at eight tables arranged in a circle, each known by a color and a fictitious corporate name using a variation on that color: Weiss Labs for the white team, Rouge Group for red, Midori Consulting for green and Azul Security Systems for blue. Network cables suspended from the ceiling resembled the wire ribbing of an umbrella and connected the hackers to each other, but also separated them from the Internet.

The skulduggery was limited only by the teams' imaginations.

"It is one of the few places where you can go all out," said the orange-haired Harvey, who went by the handle "Rizzo" at the conference. "There are very few things that are disallowed."

Weiss Labs, made up of Wirex researchers who defended their Immunix software and Shmoo hackers who did the attacking, took control of one team's computer and replaced the shell script with a halt command, essentially making the box shut down every time it was started. The tactic didn't gain the team any points, but did rob its rival of points.

Points were also lost to some other, non-hacking events: Teams could, for instance, Dumpster-dive or pick a locked safe. In addition, a team had to undergo the embarrassment of a mock Business Software Alliance audit, in which referees reviewed their systems for any signs of unlicensed--and unsanctioned--software.

A stock chart, rewarding teams that did well, kept score for spectators but didn't necessarily show the real rankings of the teams. A group that had just scored points would see it indicated in their stock price, but one that scored most of its points the day before might find itself down in the bottom of the rankings.

Germany's Chaos Computer Club, playing as the yellow team's Amarelo Industries, took an early lead on Friday, but was supplanted by Midori on Saturday. Then Weiss Labs and Orange Team Security were neck and neck through most of Sunday. With five minutes left to go, Orange took over the lead position in the stock market.

X30n, leader of the orange team, said that a three-day hacking contest doesn't really come close to "true" hacking. "But I'm really impressed with the design." he said.

The stock market scoring system attracted many more spectators to the event than in previous years. At the same time, the weak correlation between the stock rankings and how the teams really placed caused some grumbling.

A chagrined Cowan waved off the problems as minor hiccups. "They seem to have done a good job simulating the real-life frustration of being a system administrator," he said.

Caezar, founder of the GhettoHackers, acknowledged the problems, but also stressed that this year's event was version 1.0 for the group. "We need to give people better status indicators," he said. "We left people too far in the dark."

Overall, the facelift for the game seems to have pleased most players and spectators.

"It is overwhelmingly cool this year," said Collin Greene, a Seattle high-school senior and member of the blue team, which placed seventh in stock price. "We definitely learned a lot, mostly from getting owned." When another team takes control of a computer, the computer is then considered "owned."

Greene said that placing so far back won't deter him from trying again.

"This has just made me want to do it again next year even more," he said.