Modern field guide to security and privacy

With the drama but not the bruises, hacking becomes a spectator sport

DARPA staged the world's first live computer-versus-computer hacking competition in which teams battled for a multimillion dollar purse in front of thousands of cheering fans in Las Vegas.

Ann Hermes/The Christian Science Monitor
Members of Team Shellphish watched as their computer competed Thursday night in the DARPA Cyber Grand Challenge at the DEF CON hacker conventions in Las Vegas.

Welcome to the future of hacking, where machines are the stars and the humans are in the audience.

The night before the DEF CON hacker conference began here, seven supercomputers went head-to-head in a kind of Olympics for cybersecurity. The Cyber Grand Challenge, sponsored by the military’s futuristic research arm – the Defense Advanced Research Projects Agency – was the world’s first all-machine hacking tournament.

"Cybercasters" who channeled Monday Night Football announcers delivered the play-by-play commentary for the crowd of 5,000 spectators. But these hosts came with serious geek credentials. Astrophysicist Dr. Hakeem Oluseyi teamed up with two star hackers: Hawaii John, who rocked a bushy hipster beard, and Invisig0th whose head was shaved except for a ponytail and sported a T-shirt from the cybersecurity cult classic movie "WarGames." 

Seven massive screens at the Paris Hotel ballroom showed the hosts interviewing members of the seven teams, from all over the US, that built the robots. Normally, it would take them up to a year to detect and months to fix bugs hidden in complicated computer code. But as techies relaxed on an array of leather couches munching Twizzlers, they watched visualizations showing their machines finding and vanquishing software flaws in minutes. 

This time, attacks were portrayed for all to see as lines of bright, multicolored dots moving from one machine to another. There was a scoreboard, tallying points for each team, as icons marked how well the computers were defending themselves. Their arena: A huge stage built above 180 tons of water to keep the high-powered machines cool.

And the audience was loving it.

"To be quite honest, I got more excited watching #DARPACGC than the #Olympics," tweeted Capture the Flag veteran and malicious software researcher Jonathan Racicot from his handle @InfectedPackets. 

Clearly, this wasn't your typical capture the flag tournament in which teams compete to quickly find and fix software bugs. 

As a hacker in the audience from Sweden who identified himself only as Jonas said, it's typically "guys just at computers." For DARPA, the biggest challenge was to bring some excitement of a live sporting event to hacking and Jonas said he was impressed.

Spectators were even placing bets on their favorite teams. “I got $20 on Deep Red,” tweeted Cris Thomas from Tenable Security who goes by his hacker name Space Rogue, referring to the team of researchers from the defense contractor Raytheon.

Even the robots chimed in on social media. “I'm getting tired, already 40 rounds in the game and no end in sight. I wonder what my humans are doing…” tweeted Mechanical Phish, the robot built by the University of California Santa Barbara during the competition.

Computers that can find and repair security flaws on their own in real-time are a game-changer, especially when human hacking talent is in very short supply. There are an estimated more than one million jobs unfilled in security worldwide, at a time when companies and governments are grappling with increasingly serious breaches.

To DARPA, the agency that helped invent the internet, the $55 million spent on the competition in the last two years was worth it.

"This may be the end of DARPA’s Cyber Grand Challenge but it’s just the beginning of a revolution in software security," said program director Mike Walker. "In the same way that the Wright brothers' first flight – although it didn’t go very far – launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense."

In a sign of what’s to come, the crowd went wild when the supercomputer robots found flaws that the judges didn’t even know were there.

And the broader significance wasn’t lost on fans.

"It’s really going to change us as a society," said an audience member who identified himself as Baset. “I can only think of how this will look in five or 10 years. This kind of technology is going to enable countries that aren’t superpowers to level the playing field. The theme of DEF CON is really the rise of the machines, and I’m getting that sense here.

"We will always need humans," he continued. "But this could enable humans to spend their time doing things they should."

Jeff Moss, who founded both the Black Hat and DEF CON hacker conventions, agreed.

"Boy, wouldn’t we rather put our human resources into doing things that humans do best? Teaching other humans, explaining the business risks to companies and working on the policies – instead of spending 20 hours on the latest 15 malware variants? Wouldn’t it be great just to have a computer that can deal with that, robot to robot?" he says.

That, he says, "will be the horseless carriage area of defense." And he’s "excited to see that era ushered in."

The winner of the $2 million prize: Mayhem, built by the ForAllSecure team with technology from Carnegie Mellon University. Second place with $1 million went to a program named Xandra by the TechX team from University of Virginia and GrammaTech Inc. Mechanical Phish collected the $750,000 third-place prize.

On Friday, Mayhem will battle the humans at the annual DEF CON Capture the Flag competition. It’s the first time in the history of the competition that a computer will compete. 

May the best man or machine win.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.