If everything goes as
planned, for 72 hours next February hackers from all over the United
States will hit targets across the Internet in the largest mass attack
to date.
But the affected systems won't be corporate Web servers or
networks, they'll be computers set up and maintained by other hackers
as part of a capture-the-flag game. When the digital dust clears, the
team from either the East Coast or the West Coast will be named winner.
"We have people take over someone's box and play the game from there,"
said "D.D.," a member of the Seattle-based security group Ghetto
Hackers, which kicked off a smaller version of the game, Root Fu, at
the Defcon hacking convention in Las Vegas on Friday. "In terms of our
machines, we are pretty confident that we can contain it." The Ghetto
Hackers have run the smaller capture-the-flag-type game, where eight
teams hack each other on a closed network, for three years at the
convention.
Next year, the group of hacking hobbyists hopes to take the game
global. Dubbed Mega Root Fu, the new game will be the first large-scale
hacking contest played over the public Internet. The group is allowing
teams throughout the United States to sign up at its Web site and hopes
to have a thousand players come February.
Getting the teams on board will likely be the easy part, especially
with the group advertising the contest at the nation's largest hacking
convention. Preventing the game from spilling over to the Internet may
not be as simple. The Ghetto Hackers plan to create a network separate
from, but running on, the Internet, using routing and encryption
technology known as a virtual private network, or VPN.
The prospect of mass attacks by hackers, surprisingly, does not worry security experts much at all.
"It will pretty likely be contained," said Bruce Schneier, a well-known
computer security expert and founder of network-monitoring service
Counterpane Internet Security. "Sure, it's possible that some stuff
will get out, but people are not going to be doing large-scale,
uncontrollable attacks, like worms or viruses."
In fact, the contest could help security experts learn more about online attackers' techniques and how to defend against them.
Last year, the University of California at Berkeley teamed up with the
Information Sciences Institute at the University of Southern California
and the ISI's sister institute in Virginia to start work on a large,
1,000-node network that modeled the Internet. Called the Cyber Defense
Technology Research (DETER) network, the initiative will let
researchers study online attacks and defenses and reset the network to
a clean state easily.
"It's a pretty interesting experiment that they are trying," said Doug
Tygar, professor of computer science and information management at the
University of California at Berkeley and a principal researcher on the
DETER Project. "I hope they are very careful about containment and
being ethical."
Tygar added that though the contest could be an interesting learning
experience, it would likely not be very valuable to academicians.
"We are interested in repeatable scientific experiments of what will
happen on the Internet," he said. "What they are doing is interesting,
but I'm not sure how controlled it will be."
Legally, the contest will be in a grey area, said Jennifer Granick,
clinical director of Stanford University's Center for Internet Law and
Society. If a virulent attack escaped the virtual private network and
caused damage, it could be grounds for a lawsuit.
"Theoretically, it is possible that you would be legally negligent," Granick said.
The pursuit of the larger project may mark the evolution of the Ghetto
Hackers capture-the-flag contest away from Def Con. The current
eight-team format does not allow more amateur hackers to play, said
Jeff Moss, the conference's founder and organiser.
"This is the longest that we have had one group do the capture-the-flag
event," he said. "It used to be that any of the attendees could walk up
and play."
The contests have also garnered support from nonhackers, who see it as a good outlet and not as a threat.
"I think it is very hard to shut this type of activity down, and I
don't think that would be desirable at all," Berkeley's Tygar said.