I Attended This Hacker Conference and All I Got Was All the Data on Your Hard Drive

Yesterday's computer hackers are today's "security professionals". But when the world's top geeks descend on vegas for a 34-hour battle of the brains, the black hats come out
Tom Schierlitz

It’s July in Las Vegas, and the relentless midday desert sun has already pushed the outside temperature into three digits. But here inside the Alexis Park Resort, it’s cool and dark. The bar is open, and the room is beginning to fill up. It’s 1 p.m., the big game has just begun, and, as you’d expect in the world epicenter for sports gambling, the room glows with the light from dozens of screens catching every nuance of the action.

But these aren’t television screens, they’re laptops. And the motley assortment of guys peering into them and busily clicking away at keyboards aren’t gamblers looking to score some last-second intel on the game, they’re hackers–and this is the game.

Welcome to Def Con, the self-proclaimed “largest underground hacking event in the world.”

That´s a tough claim to verify, what with the fetishistic value the attendees and organizers of such gatherings place on privacy, but there is no doubt that Def Con has exploded in popularity in the 12 years since a 21-year-old hacker dubbed The Dark Tangent (a.k.a. Jeff Moss) decided to launch the event as a way to meet a bunch of friends he´d only known online. About a 100 such friends answered his call for that first conference in 1993; at the 2004 Con, every one of the 4,000 preprinted entry badges sold out early. To get one, all you needed to do was show up at the door, $80 cash in hand.
No preregistration, no names, no questions asked.

And what do The Dark Tangent´s underground army of friends get for their 80 bucks? They get a three-day program packed with panel presentations on everything from the latest security research to tips on hacking your car. They get a chance to test themselves in a full slate of competitions, including War Driving (a scavenger hunt to identify unprotected wireless-access points in Las Vegas), Wi-Fi Shootout (a contest to establish long-distance wireless connections in the desert) and Spot the Fed (a game that awards T-shirts to those who successfully identify government agents in the crowd)-not to mention the hallowed annual coffee-brewing challenge (these guys are serious about their java). And they get their choice of three swimming pools, at least one of which is guaranteed at all times to be the scene of a boozy party, complete with DJ.

But the signature event of Def Con, the sun around which all else orbits, is the game just getting under way in this slightly seedy banquet room: an electronic version of Capture the Flag. Eight elite teams of hackers have advanced out of the 21 that entered an earlier qualifying tournament, and each team occupies one set of the conference tables that ring a nine-foot-tall scoring center, each set of tables littered with laptops and the team´s server, or “game box.” As in the game we all played in summer camp, the object here is to grab your opponents´ flags while protecting your own–but these “flags” don´t exist anywhere except the virtual worlds inside those servers.

Def Con´s Capture the Flag competition is the Super Bowl of hacking, though it must be said that a room full of pale, black-garbed geeks typing away and piling up Red Bull empties doesn´t exactly call to mind the smashmouth physicality of the gridiron. On the other hand, you´ve got to give the athletes assembled in this room the nod when it comes to stamina. Football´s superstars need to be at the top of their game for only about four hours. The guys here are going to be staring into these laptop screens for the next 33 hours.

As the game gets going, the mood in the room is tense. Even though Capture the Flag has been played in Vegas every summer for the past eight years, players never know exactly what they´re in for until they arrive. About an hour ago, the organizers-a Seattle-based group known as the Ghetto Hackers, who took the reins of the game in 2002 after winning it three years running-handed out CDs and instructions for a scenario modeled on corporate espionage. (Or, as it´s laid out in the rules, theft.) The teams represent banks, competing to capture “tokens” instead of flags. About 10 times an hour, an automated program places a token–a small piece of code-onto each team´s game server. The tokens represent valuable data that, in the real world, would be a tempting target to be scrutinized or stolen.

Whichever team emerges as the winner by tomorrow night will score a coveted set of black Def Con badges, good for free entry to the Con for life (and bragging rights for a year). Probably more important, though, everyone who plays will get a reality check on his security skills. The game is designed to be as realistic as possible–to make participants attack and defend the kinds of services real companies use online. The Ghetto Hackers know what real security problems look like; most of them work on those problems for a living.

So do most of the folks I´m sitting with, the members of a team called Bacon, which is named after the only thing the 12 teammates could think of that they all liked. If the bookies down on the Strip were putting a line on this year´s event, Bacon would be among the clear favorites. I met John Viega, the closest thing the group has to a leader, two years ago at a table about 20 feet from where we´re sitting now. At the time, he and many of the current Bacon players were on a team called Immunix (named after a Linux security company), which eventually took a very close second place. Most of Viega´s teammates work or have worked for him at a start-up called Secure Software, though they´re supplemented by two men from Cox Communications, one from Intel, another from AOL, and one guy who talks with me all weekend but refuses to tell me his name or where he works.

If, for the most part, this sounds like a pretty mature crowd for a hacker conference, that´s because this is 2004. The teenagers of the 1980s, and, for that matter, the ’90s, have grown up. The humor and attitude are still there-at the moment I´m looking at a laptop sticker that reads “My other machine is your Linux box”–but the guys who qualify for Capture the Flag aren´t kids.

Take Viega as Exhibit A: He´s 30 years old, a father of two. He has written some important open-source software (including a program called Mailman, which you may use if you belong to e-mail listservs). He has taught university classes, published three books on writing secure code, and, in 2001, founded his company, which now employs 31 and where he is chief technology officer. He was so busy the week before the conference that he failed to make hotel reservations. Then again, he won´t need a room if he doesn’t sleep.

Leaning over the table, Viega is urgently and quietly trying to map out a game plan. The Bacon players are downloading applications from their game server to their laptops and beginning to analyze them. The Ghetto Hackers have written applications (and modified some off-the-shelf ones) in ways that leave them vulnerable to attacks by a skilled hacker. Bacon´s looking to pick those locks, slip into the other teams´ servers, and pilfer their precious tokens.

And soon the effort pays off. At about 4, an announcer gets on the PA system: “We´d like to give a shout-out to Bacon: the first blood of the game.” Viega has hacked into five teams’ systems. The others still have plenty of time to catch up, though. The contest won’t end for another 30 hours.

Many people–hackers included–try to divide the hacking community into two clearly distinct camps: “black hats,” who are looking for holes so that they can exploit them and perhaps even steal data or spread viruses, and “white hats,” who look for holes so that they can plug them before they´re discovered by black hats. The reality is often far more gray, but there have always been hackers from both camps at the Con. (And part of the appeal of Capture the Flag is that even the purest of the white hats gets to be a bad guy for a weekend.)

As people come to rely more and more on electronic data exchanges in their daily lives, opportunities for hackers of both stripes are growing. Even something as simple as an ATM receipt can make you vulnerable to attack, warns Robert Morris, a former National Security Agency chief scientist speaking at a Def Con panel session. “Don´t just leave it at the ATM,” he says. “Don´t throw it on the sidewalk. I´m not going into what the problem looks like right now–some of you already know–but if you leave it at the ATM, you´re going to lose a lot of money.”

The growing popularity of wireless communications opens up even more avenues for electronic entry. At another panel, members of the Shmoo Group (a loose collective of security geeks that includes several Bacon players) present a program that would let someone hijack all the traffic at an Internet hotspot. They also show off a small “hackerbot” on wheels that finds unsecured Wi-Fi users and shows them their passwords on a large screen. Later in the weekend, three teens who have come to Def Con from Ohio describe how they drove around Cincinnati looking for unsecured wireless Internet connections, then knocked on doors and asked the people inside whether they wanted to have their connections fixed. “They kind of freaked out, so we were looking for something to do with all this equipment we´d just bought,” says Ben Corrado, explaining what inspired them to attend Def Con, where they won the Wi-Fi Shootout by establishing a wireless connection across 55.1 miles in the desert.

To the uninitiated, it looks like the people playing capture the Flag are simply hunkered at their laptops. The bulk of their time is spent poring over line after line of computer code, thinking of ways to penetrate it, and writing several lines of code to try out an idea. Most of the time, it doesn’t work.

Every few minutes, the Ghetto Hackers throw a video clip up on the wall to break the monotony. A lot of it is classic arrested-development stuff: women in skimpy outfits using heavily vibrating power tools, that sort of thing. Meanwhile, over by the bar, some attendees project a “Wall of Shame,” listing the usernames and first few password characters of fellow attendees who have been foolish enough to troll without encryption on the Con’s wireless network.

One of the applications featured in this year´s game, a multiuser domain, or MUD, was probably included in recognition of the amount of time most of these guys have spent online during their lives. MUDs are text-based multiuser online games that players can log onto remotely. They´ve been around since the ´80s; geeks will recognize them as the precursors to games like EverQuest. A MUD isn´t all that different from a chat room, and people have been meeting in MUDs for decades. Each team is required to run a MUD and let players from other teams log in.

Early on, Viega discovers a weakness in the MUD´s access controls, rules that should limit what he is able to do. Soon he has gained “wizard” privileges, which give him the power to do things a regular user can’t–like write code that allows him to burgle some tokens.

As the afternoon heads into evening, the Bacon table is littered with empty chip bags and liquor bottles. Viega and company have killed a bottle of Jack Daniels and one of Bailey’s, and a liter of Wild Turkey is on its way.

At around 8 p.m., a ghetto hacker strolls over to talk to Viega. “You submitted your own token, didn´t you?” he asks.

“What do you mean?” Viega replies, and he keeps up the pretense for several minutes of back-and-forth, but eventually his smile gives him away. To score points, players submit the tokens they’ve stolen to a scoring server. Bacon player Pravir Chandra, a cheerful guy in a Hawaiian-print shirt who does security work for AOL, noticed that there didn’t seem to be anything stopping teams from submitting their own token, so Bacon tried it. The game is, after all, about hacking. Cheating is encouraged. The organizer congratulates them, then heads back to fix the flaw.

But by now, other teams are scoring. Pretty soon one called Sk3wl of Root overtakes Bacon for the lead. (Sk3wl means “school” in hacker lingo, and root access to a Unix computer will let you do anything; the team is made up of graduate students in cybersecurity at the Naval Postgraduate School.) Later, Viega gets up to stretch his legs and heads over to the Sk3wl of Root table to say hello. For many, the Con provides a chance to get together with friends you usually encounter only in cyberspace.

Thanks to the insane hours he´s been pulling at his start-up, combined with the demands of a young family, Viega arrived in Vegas with a major case of stress. Somehow, staying up all night hacking appears to be an effective antidote; as the game progresses, he becomes more and more relaxed, and he settles in. Two other players seem as stuck to their chairs as Viega, but others duck out to sample the pool party or catch a nap.

Just before 2 a.m., Viega complains that some of Bacon´s services aren´t locked down. Unlike some teams, which have a clear leader and delineation of duties, Bacon is just a group of smart friends who got together for the qualifying round and then gathered again in Vegas. They each take on tasks as they think of them, and most players are more interested in attacking than defending. Of course, there are risks to this kind of ad hoc strategy, and about an hour after Viega´s comment, the non-locked-down nature of Bacon´s system is confirmed. “We’re owned,” Viega groans. “The title of the PHP interface reads “Sk3wled by Root.””

Being “owned”–when an outsider takes control of a system–is probably what most people think of when they think of hacking. PHP is a scripting language used to generate Web pages, and in this case, Sk3wl of Root has used it to leave a note letting Bacon know who´s in charge. But hacking can be a stealth activity as well; it´s often in an attacker´s interest not to get caught.

Many of the applications the teams must run are services. Most of us use such services every day without thinking–programs that allow us to access e-mail and other information held on some remote computer. If they are compromised, the consequences can be serious.

Most businesses don´t publicize their security problems, so it´s difficult to find out how pervasive they are. But according to a survey of businesses done last year by the U.S. Secret Service, CSO magazine, and the government-funded security center CERT at Carnegie Mellon University, 125 of 500 respondents admitted that their companies had suffered financial loss because of e-crimes. A separate report published by CERT confirmed what hackers have known for years, that “vendors continue to produce software with vulnerabilities, including vulnerabilities where prevention is well understood.” Thousands of weaknesses are discovered in major software products every year, many of them by the people who come to Def Con.

Capture the Flag serves as something of a laboratory-both at Def Con and, increasingly, elsewhere. One of the first times it was played here in Vegas, an NSA employee told Jeff Moss that the agency planned to use the game internally. Today, versions of Capture the Flag are used in government and academia for training. “With security, the devil is so much in the details,” explains Giovanni Vigna, a professor at the University of California at Santa Barbara who uses a version of the game for one of his final exams. “Until you do it, you don´t really know it.”

Classroom gaming experience and tighter leadership may help explain why the two teams assembled around graduate programs have managed to take the lead in this year´s game. By 9 a.m., Bacon has dropped to fourth place. Still, the players maintain an almost scary focus, and two hours later there´s still no sign of breakfast, never mind lunch. The team manages a couple scores over the next few hours-but not enough to catch up. Sk3wl of Root and a team called Enemy Combatants battle it out for the title. By afternoon, it´s clear that winning is out of the question for Viega and his team. But they aren´t going down quietly.

Martin Murray, a 21-year-old and one of the few Bacon players with a Windows laptop, walks casually across the room and jumps over the table separating the scoring tower from the main floor. In plain view of anyone bothering to look, he walks over to the projector, unplugs it from the scoring system, and plugs his laptop in.

Suddenly the scores disappear and are replaced by an unhappy shade of blue familiar to any Windows user. On the screen is what looks like a long error message, but close to the top you can easily see the words “Bacon . . . Owns . . . Ghetto.”

There´s loud cheering from the floor. A voice comes over the speaker system: “FYI, if anyone saw what just happened, someone owned the projector connection, that’s all.” The scores come back up, showing Sk3wl of Root with a lead that will last all the way to the finish line. For Bacon, the game is over.

Robin Mejia is a freelance writer in Santa Cruz, California.