Get more news with Extra.
Advanced Search

Hacking contest promotes security

Last modified: August 4, 2003, 4:55 PM PDT
By Robert Lemos
Staff Writer, CNET
Print story E-mail story Your take

LAS VEGAS--The U.S. government continues to talk tough on computer crime, but here in the desert, hackers--including some from federal agencies--are learning about defending networks by breaking into computers.

The exercise is part of a Capture the Flag-like game that's known as Root Fu. The annual contest pits eight teams at the DefCon conference against each other in a test of network defense and hacking skills. Each team has to defend its own server and applications while trying to break into the servers of the seven other teams.

"This sort of adversarial testing shows what is possible--and not--with security," said Crispin Cowan, chief scientist at Linux security seller Immunix and the leader of the Immunix team. "We value this competition, because we think it is a better evaluation of security than common criteria."

Such comments conflict with tough talk from top-level U.S. officials who still look at hackers as a threat. Laws such as the Digital Millennium Copyright Act and the Cybersecurity Enhancement Act have focused on punishing hackers. But knowledgeable security experts see practicing such skills through Root Fu-like challenges as a necessary way to improve security.

"The reality is that you may have hostility at a high level, but the people who know their stuff decided to come," said Adam Shostack, chief technology officer for security start-up Informed Security.

Each team had to run five Web services on a variant of Unix known as BSD. The services consisted of the music streaming application IceCast, a Web news portal based on Slashcode, two ads, and a multiuser text-based role-playing game known as FurryMuck. Each team accumulated points for having the applications available. The longer a service was up, the more points its supervising team won. However, each team lost points if a service it was running became compromised.

Ghettohackers, the group of hackers who created and officiated the game, focused on making the competition a good measure of offensive and defensive security skills. Late Saturday, the Immunix team retained a large lead, but another team named Anomaly caught up to win the competition on Sunday.

Alan Harper, a security engineer with the Defense Information Systems Agency (DISA), thought that competitions like Root Fu could help others understand that all hacking isn't bad.

Special Report
Hacking their image
An underground school tries to
reprogram hackers' reputation.

"There is an understanding, more and more, of ethical hacking," he said. "The technique is the same, but the intent is different. It's not something that we have to hide from our peers at work."

Root Fu--a hackerish name that derived from the superuser's name on Unix systems, root, and the final syllable of kung fu--may have also settled a long-debated point, Immunix's Cowan said: whether hackers make the best defenders.

"The offensive attackers have been doing the best code auditing," he said. "They attack, find the holes and then tell the defenders on the team."

The experience underscores that knowing how to attack systems is a critical skill in learning how to defend them. Others have maintained that you can't trust hackers, but Cowan stressed that it's all about the ethics of the hacker.

"Hacking tools should not be illegal, but if I use them to break into your computer, then I'm a criminal," he said.

Your take Have an opinion on this story? Share it with other readers.

Related stories
Get this story's "Big Picture" >
Your take
Post a comment

No discussion exists, click here to start it.

Ways Web services can optimize your network security plan
Learn how Web services vendors can narrow the window of time between discovery of a security risk and its removal. Free registration required.
Play Audio

Latest Headlines

Copyright 2004 CNET Networks, Inc. All Rights Reserved. Privacy Policy | Terms of Use