Carnegie Mellon University’s competitive hacking team, the Plaid Parliament of Pwning—better known as PPP—is no stranger to DefCon, one of the largest and longest running cybersecurity conferences in the world. In fact, PPP has won DefCon’s hacking competition, dubbed the “World Series of Hacking,” four times—in 2013, 2014, 2016, and 2017—and placed second last year, making PPP the strongest team in DefCon history.
PPP is preparing to reclaim the top title at DefCon 27 from August 8 - 10 in Las Vegas, Nevada. Among their ranks this year are five students and alumnae of the Information Networking Institute (INI): current INI students Susie Chang (MS30), Jenish Rakholiya (MS30), and Wai Tuck Wong (MS30); and INI alumnae Erye Hernandez (MS24) and Carolina Zarate (MS29).
The 72-hour contest follows a Capture the Flag (CTF) format, in which teams earn points by breaking into other teams’ servers to collect virtual "flags,” while simultaneously defending their own systems from other teams’ attacks. Having to play both the attacker and defender makes the DefCon CTF one of the most challenging hacking competitions out there.
“Each competing team has a set of services they need to defend from the opposing teams. They also need to find vulnerabilities in those services, create exploits for the vulnerabilities that they find and use those exploits to attack the opposing teams’ services,” explained PPP member Eyre Hernandez (MS24), who graduated from the INI in 2014. This will be Hernandez’s sixth year at DefCon.
Getting to compete in the DefCon CTF is no easy task: each team has to win in a series of competitions over the past 12 months to qualify. The challenges are also kept a surprise until the day of—usually teams will not even know what architecture or operating system they will be dealing with until the start of the competition.
In 2016, the DefCon game environment was altered to simulate the DARPA Cyber Grand Challenge (CGC)—a hacking contest between computers—so that the winning machine could compete against human competitors. (Fun fact: CMU enjoyed a double-win at DefCon 25, as the machine that won the DARPA challenge was a CMU spinoff created by Professor David Brumley, which faced off against a dozen teams from around the world including PPP, who took home the winning title that year.)
“Preparation for DefCon CTF is always a bit difficult since the organizers can come up with some crazy twists to the challenges or the CTF itself,” said Zarate, a recent graduate of the INI’s integrated master’s program in information security. “We try to put in some effort in researching and creating tools that may help us in the weeks leading up to the CTF, but it’s usually hit or miss if they’re relevant.”
While CTFs can be nerve-wracking, INI students who participate in them find they can provide invaluable practice for the types of security situations they will encounter in the real world.
“It’s a fun way to learn and continue learning about computer security,” explained Hernandez. “It exposes you to new and exciting challenges in every competition, which means you are always learning about new topics whenever you play. It’s also great to get hands-on experience which really helps cement the sorts of things we learn about in classes.”
Her PPP teammate Rakholiya, a current M.S. in Information Security (MSIS) student, agreed. “CTFs are usually a fun competition covering a wide range of security concepts, thus I get to learn a lot of new things which otherwise I might have skipped.”
Every year, INI students score high at CTF competitions at the regional, national, and global levels. Many students feel that their time with the INI prepares them for success. “A lot of my work at CMU has required me to be persistent and think creatively, which is great for approaching CTF problems,” said Zarate. “My time as a teaching assistant (TA) for a security undergraduate course also helped reinforce a lot of my knowledge when I had to teach it in a way that beginners could understand.”
Zarate has been a member of PPP since her undergraduate years at CMU, but her introduction to CTF began earlier, while participating in CyLab’s picoCTF, an online capture the flag competition for middle and high school students. She later joined CyLab as a researcher during her time at the INI. “I got involved in picoCTF because I enjoy teaching security topics and I believe CTFs are a great way to do so. They offer a way to cater directly to players’ skill levels and interests in a way that is accessible and engaging—even to younger students!”
In terms of advice for DefCon newcomers, it’s all about practice and teamwork. “DefCon and other such CTFs may seem really hard at first, but the more you play, the more comfortable you become,” said Rakholiya.
Zarate also encourages new players to not be shy about seeking advice from veteran players. “It’s important to find a team and engage with them,” she said. “If you feel out of your depth, then sit in with someone that has more experience and ask questions!”
For those on team PPP, DefCon provides ample opportunity to learn from teammates and competitors alike.
“Collaborating with my teammates is one of the most fun and educational parts of DefCon CTF. Much of the learning I've gotten from the CTF has been from working on preparation or challenges with friends,” said Zarate.
Rakholiya also looks forward to interfacing with players from around the world. “I am excited to meet great CTF players after the competition,” he said.