I Attended This Hacker Conference and All I Got Was All the Data on Your Hard Drive

As the game gets going, the mood in the room is tense. Even though Capture the Flag has been played in Vegas every summer for the past eight years, players never know exactly what they´re in for until they arrive. About an hour ago, the organizers-a Seattle-based group known as the Ghetto Hackers, who took the reins of the game in 2002 after winning it three years running-handed out CDs and instructions for a scenario modeled on corporate espionage. (Or, as it´s laid out in the rules, theft.) The teams represent banks, competing to capture "tokens" instead of flags. About 10 times an hour, an automated program places a token–a small piece of code-onto each team´s game server. The tokens represent valuable data that, in the real world, would be a tempting target to be scrutinized or stolen.

Whichever team emerges as the winner by tomorrow night will score a coveted set of black Def Con badges, good for free entry to the Con for life (and bragging rights for a year). Probably more important, though, everyone who plays will get a reality check on his security skills. The game is designed to be as realistic as possible–to make participants attack and defend the kinds of services real companies use online. The Ghetto Hackers know what real security problems look like; most of them work on those problems for a living.

So do most of the folks I´m sitting with, the members of a team called Bacon, which is named after the only thing the 12 teammates could think of that they all liked. If the bookies down on the Strip were putting a line on this year´s event, Bacon would be among the clear favorites. I met John Viega, the closest thing the group has to a leader, two years ago at a table about 20 feet from where we´re sitting now. At the time, he and many of the current Bacon players were on a team called Immunix (named after a Linux security company), which eventually took a very close second place. Most of Viega´s teammates work or have worked for him at a start-up called Secure Software, though they´re supplemented by two men from Cox Communications, one from Intel, another from AOL, and one guy who talks with me all weekend but refuses to tell me his name or where he works.

If, for the most part, this sounds like a pretty mature crowd for a hacker conference, that´s because this is 2004. The teenagers of the 1980s, and, for that matter, the '90s, have grown up. The humor and attitude are still there-at the moment I´m looking at a laptop sticker that reads "My other machine is your Linux box"–but the guys who qualify for Capture the Flag aren´t kids.

Take Viega as Exhibit A: He´s 30 years old, a father of two. He has written some important open-source software (including a program called Mailman, which you may use if you belong to e-mail listservs). He has taught university classes, published three books on writing secure code, and, in 2001, founded his company, which now employs 31 and where he is chief technology officer. He was so busy the week before the conference that he failed to make hotel reservations. Then again, he won´t need a room if he doesn't sleep.

Leaning over the table, Viega is urgently and quietly trying to map out a game plan. The Bacon players are downloading applications from their game server to their laptops and beginning to analyze them. The Ghetto Hackers have written applications (and modified some off-the-shelf ones) in ways that leave them vulnerable to attacks by a skilled hacker. Bacon´s looking to pick those locks, slip into the other teams´ servers, and pilfer their precious tokens.

And soon the effort pays off. At about 4, an announcer gets on the PA system: "We´d like to give a shout-out to Bacon: the first blood of the game." Viega has hacked into five teams' systems. The others still have plenty of time to catch up, though. The contest won't end for another 30 hours.