August 4, 2003 4:55 PM PDT
Hacking contest promotes security
The exercise is part of a Capture the Flag-like game that's known as Root Fu. The annual contest pits eight teams at the DefCon conference against each other in a test of network defense and hacking skills. Each team has to defend its own server and applications while trying to break into the servers of the seven other teams.
"This sort of adversarial testing shows what is possible--and not--with security," said Crispin Cowan, chief scientist at Linux security seller Immunix and the leader of the Immunix team. "We value this competition, because we think it is a better evaluation of security than common criteria."
Such comments conflict with tough talk from top-level U.S. officials who still look at hackers as a threat. Laws such as the Digital Millennium Copyright Act and the Cybersecurity Enhancement Act have focused on punishing hackers. But knowledgeable security experts see practicing such skills through Root Fu-like challenges as a necessary way to improve security.
"The reality is that you may have hostility at a high level, but the people who know their stuff decided to come," said Adam Shostack, chief technology officer for security start-up Informed Security.
Each team had to run five Web services on a variant of Unix known as BSD. The services consisted of the music streaming application IceCast, a Web news portal based on Slashcode, two ads, and a multiuser text-based role-playing game known as FurryMuck. Each team accumulated points for having the applications available. The longer a service was up, the more points its supervising team won. However, each team lost points if a service it was running became compromised.
Ghettohackers, the group of hackers who created and officiated the game, focused on making the competition a good measure of offensive and defensive security skills. Late Saturday, the Immunix team retained a large lead, but another team named Anomaly caught up to win the competition on Sunday.
Alan Harper, a security engineer with the Defense Information Systems Agency (DISA), thought that competitions like Root Fu could help others understand that all hacking isn't bad.
Hacking their image
An underground school tries to
reprogram hackers' reputation.
"There is an understanding, more and more, of ethical hacking," he said. "The technique is the same, but the intent is different. It's not something that we have to hide from our peers at work."
Root Fu--a hackerish name that derived from the superuser's name on Unix systems, root, and the final syllable of kung fu--may have also settled a long-debated point, Immunix's Cowan said: whether hackers make the best defenders.
"The offensive attackers have been doing the best code auditing," he said. "They attack, find the holes and then tell the defenders on the team."
The experience underscores that knowing how to attack systems is a critical skill in learning how to defend them. Others have maintained that you can't trust hackers, but Cowan stressed that it's all about the ethics of the hacker.
"Hacking tools should not be illegal, but if I use them to break into your computer, then I'm a criminal," he said.