August 6, 2019

ASU to play lead role at DEF CON conference, considered to be the Super Bowl of hacking

North Korean hackers squeeze $2 billion out of cryptocurrency networks. Russian hackers breach networks using "internet of things" devices. An American woman sneaks into Capital One’s network and steals the personal information of more than 100 million people.

We need heroes. At the world’s largest hacking conference starting Thursday in Las Vegas, some of the top hackers around will compete for the highly coveted black badge only the best earn.

Arizona State University is playing a leading role at DEF CON, where attendees include cybersecurity professionals, students, security researchers, journalists, lawyers, hackers and federal officials. The conference runs Aug. 8–11.

“This is the pinnacle of hacking,” said Adam Doupé, associate director of the Center for Cybersecurity and Digital Forensics in the Global Security Initiative. “As far as ASU, this is our way to be leaders and innovators in the cybersecurity area. We’re the lead organization running this DEF CON Capture the Flag along with other colleagues from other schools, but the core group is at ASU. This gives us as professors a great way to attract undergrads, master’s and PhD students because people can see ASU is at the epicenter of cybersecurity.”

Hackers compete in security competitions where teams hack against each other and try to steal digital information called the flag (like the schoolyard game Capture the Flag).

“Here you have computer systems where they are trying to break into the other team’s systems while defending their own,” said Doupé, who is helping to lead the competition efforts at DEF CON. “It’s considered either the Olympics or the Super Bowl of hacking. Capture the Flag has turned into this really cool way where students or professionals can work and improve their offensive security skills in a really safe environment.”

For organizers, it’s like setting up an obstacle course. They create custom software with one or two bugs. The teams have to look at it and study it like a puzzle. They have to reverse-engineer to understand what’s going on, find the vulnerabilities and exploit the other team’s while patching theirs. It takes months to write the software for the competition.

“It’s exercising a lot of real-world security skills,” said Doupé, an assistant professor in the School of Computing, Informatics, and Decision Systems Engineering. “The market for what they call vulnerability researchers — people who do this for a living — is incredibly in demand. ... This is putting those skills to the test. ... It’s like trying to push the bounds of what people can do and the kinds of things they can hack.”

Adam Doupe ASU cybersecurity expert

Adam Doupé, an assistant professor in the School of Computing, Informatics, and Decision Systems Engineering, will help lead the Capture the Flag competition efforts at DEF CON. Photo by Deanna Dent / ASU Now

Almost everyone in cybersecurity got into the field through playing Capture the Flag games.

“It’s a great way for students to try out their security skills in a safe environment, and it can also get people hooked on thinking, ‘How can I get this to break?’” Doupé said. “Software is everywhere, and software has vulnerabilities and hackers can demonstrate the flaws in systems so we can ultimately make things more secure.”

ASU’s team consists of 18 people, including engineering faculty Yan Shoshitaishvili and Tiffany Bao. Twelve hundred teams compete to qualify. The top 16 teams are invited to DEF CON. There are no cash prizes, but the winning team earns lifelong free passes to the event. The passes are black.

“It’s about the respect,” Doupé said. “These are like the badge of you being an elite hacker.”

A popular game at DEF CON is Spot the Fed. A note on the conference’s website reads:

“If you see some shady MIB (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, point him out. ... If enough people think it's a true fed, or fed wannabe, or other nefarious style character, you win a 'I spotted the fed!' shirt, and the I.F. (Identified Fed) gets an "I am the fed!" shirt.”

“It’s pretty well known that a lot of the government agencies are there looking for people, but also they want to be on the cutting edge,” Doupé said. “It’s not about trying to prosecute anyone; it’s more about sharing information and understanding what’s going on.”

The feds are also recruiting for heroes. And how do you get in? DEF CON only accepts cash.

“They don’t want to trace anybody,” Doupé said. “You show up with $300 in cash and you can attend DEF CON for four days.”

Top image by Pete Linforth from Pixabay 

Scott Seckel

Reporter , ASU Now

480-727-4502