During August 3rd-5th, two security engineers from the UF Information Technology Security Team participated as members of team "1@stplace," whose deliberately ambiguous name is meant to acknowledge the thin line between success and defeat in the world of IT security. For the second year in a row, 1@stplace won the two-and-a-half-day electronic Capture the Flag competition called WarGamez at DefCon 15.
DefCon is the world's largest annual computer hacker conference with over 7,000 attendees this year. UF Senior Security Engineers John Sawyer and Jordan Wiens were part of the exclusive nine-member team composed of security experts and enthusiasts from all over the U.S.
"Our entire team is extremely dedicated, but focused on the goals of being challenged and having a good time as opposed to winning," said Sawyer. "However, thanks to great leadership from Atlas--the team founder and captain--along with good teamwork and communication, we managed to repeat our win."
The Capture the Flag event has been organized for the last three years by Kenshoto, an elite hacker group. In June, more than 150 teams participated in the on-line qualification round, with the top 7 teams advancing to the finals to compete against 1@stplace as the previous year's winning team. During the finals at DefCon, each team was given access to a virtual server running the FreeBSD 6.2 operating system and approximately 20 custom services (programs) developed by Kenshoto specifically for the competition.
Sawyer said the entire competition was exciting. "There truly was never a dull moment. We set up at 9am, started the competition at 10am, finished at 8pm and went back to our room to work on exploits until 2am. Then, we woke up and did it again."
To win, teams had to discover vulnerabilities in the services, and exploit those vulnerabilities on other servers, all while patching and defending their own server. Successful attacks of other teams' services were scored by stealing and overwriting "flags" consisting of 32 letters and numbers, hidden throughout files on each team's server. The first two teams to exploit a particular service were awarded bonus "breakthrough" points. Additionally, scores were impacted by whether or not a team was able to keep all their services running.
This is the fifteenth anniversary for DefCon since the first event in June 1993, and though the hotel location has changed, it has always been hosted in Las Vegas. In addition to many other contests besides Capture the Flag, presentations are given throughout the weekend on topics such as Tactical Exploitation, Disclosure and Intellectual Property Law: Case Studies, and Re-Animating Drives & Advanced Data Recovery. Livelier presentation titles included: Homeless Vikings and Hacking UFOlogy: Thirty Years in the Wilderness of Mirrors.
"If there's one downside to the CTF," said Wiens, "it's that we miss so many good presentations. Fortunately, we gain great experience from competing and can review the slides and recorded presentations later to catch up on new research."
Sawyer and Wiens got to take home some cool prizes for their win. In addition to the obvious bragging rights, each team member earned a black leather DefCon jacket. The real prize, though, is the coveted "Uber" black badge each brought home, entitling the owner to a lifetime of free admission to DefCon events.
At right, Wiens (top) and Sawyer (bottom) earned bragging rights and cool prizes.